idnits 2.17.1 

draft-birkholz-tuda-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 13, 2017) is 2598 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Missing Reference: 'AIK-Cert' is mentioned on line 2498, but not defined

  == Missing Reference: 'TSA-Cert' is mentioned on line 2498, but not defined

  == Outdated reference: A later version (-11) exists of
     draft-greevenbosch-appsawg-cbor-cddl-09

  == Outdated reference: A later version (-17) exists of
     draft-ietf-core-comi-00

  == Outdated reference: A later version (-24) exists of
     draft-ietf-sacm-coswid-01

  == Outdated reference: A later version (-16) exists of
     draft-ietf-sacm-terminology-11

  -- Obsolete informational reference (is this intentional?): RFC 7049
     (Obsoleted by RFC 8949)

  -- Obsolete informational reference (is this intentional?): RFC 7230
     (Obsoleted by RFC 9110, RFC 9112)

  -- Obsolete informational reference (is this intentional?): RFC 7320
     (Obsoleted by RFC 8820)

  -- Obsolete informational reference (is this intentional?): RFC 7540
     (Obsoleted by RFC 9113)


     Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 6 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                           A. Fuchs
3	Internet-Draft                                               H. Birkholz
4	Intended status: Informational                            Fraunhofer SIT
5	Expires: September 14, 2017                                  I. McDonald
6	                                                          High North Inc
7	                                                              C. Bormann
8	                                                 Universitaet Bremen TZI
9	                                                          March 13, 2017

11	                 Time-Based Uni-Directional Attestation
12	                         draft-birkholz-tuda-04

14	Abstract

16	   This memo documents the method and bindings used to conduct time-
17	   based uni-directional attestation between distinguishable endpoints
18	   over the network.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at http://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on September 14, 2017.

37	Copyright Notice

39	   Copyright (c) 2017 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents
44	   (http://trustee.ietf.org/license-info) in effect on the date of
45	   publication of this document.  Please review these documents
46	   carefully, as they describe your rights and restrictions with respect
47	   to this document.  Code Components extracted from this document must
48	   include Simplified BSD License text as described in Section 4.e of
49	   the Trust Legal Provisions and are provided without warranty as
50	   described in the Simplified BSD License.

52	Table of Contents

54	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
55	     1.1.  Remote Attestation  . . . . . . . . . . . . . . . . . . .   3
56	     1.2.  Attestation and Verification  . . . . . . . . . . . . . .   4
57	     1.3.  Information Elements and Conveyance . . . . . . . . . . .   4
58	     1.4.  TUDA Objectives . . . . . . . . . . . . . . . . . . . . .   5
59	     1.5.  Hardware Dependencies . . . . . . . . . . . . . . . . . .   5
60	     1.6.  Requirements Notation . . . . . . . . . . . . . . . . . .   6
61	   2.  TUDA Core Concept . . . . . . . . . . . . . . . . . . . . . .   6
62	     2.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   7
63	       2.1.1.  Universal Terms . . . . . . . . . . . . . . . . . . .   7
64	       2.1.2.  Roles . . . . . . . . . . . . . . . . . . . . . . . .   9
65	       2.1.3.  General Types . . . . . . . . . . . . . . . . . . . .   9
66	       2.1.4.  TPM-Specific Terms  . . . . . . . . . . . . . . . . .   9
67	       2.1.5.  Certificates  . . . . . . . . . . . . . . . . . . . .   9
68	   3.  Time-Based Uni-Directional Attestation  . . . . . . . . . . .   9
69	     3.1.  TUDA Information Elements Update Cycles . . . . . . . . .  11
70	   4.  Sync Base Protocol  . . . . . . . . . . . . . . . . . . . . .  13
71	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
72	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  14
73	   7.  Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .  14
74	   8.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  15
75	   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  15
76	     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  15
77	     9.2.  Informative References  . . . . . . . . . . . . . . . . .  15
78	   Appendix A.  REST Realization . . . . . . . . . . . . . . . . . .  18
79	   Appendix B.  SNMP Realization . . . . . . . . . . . . . . . . . .  19
80	     B.1.  Structure of TUDA MIB . . . . . . . . . . . . . . . . . .  19
81	       B.1.1.  Cycle Index . . . . . . . . . . . . . . . . . . . . .  20
82	       B.1.2.  Instance Index  . . . . . . . . . . . . . . . . . . .  20
83	       B.1.3.  Fragment Index  . . . . . . . . . . . . . . . . . . .  20
84	     B.2.  Relationship to Host Resources MIB  . . . . . . . . . . .  21
85	     B.3.  Relationship to Entity MIB  . . . . . . . . . . . . . . .  21
86	     B.4.  Relationship to Other MIBs  . . . . . . . . . . . . . . .  21
87	     B.5.  Definition of TUDA MIB  . . . . . . . . . . . . . . . . .  21
88	   Appendix C.  YANG Realization . . . . . . . . . . . . . . . . . .  37
89	   Appendix D.  Realization with TPM 1.2 functions . . . . . . . . .  51
90	     D.1.  TPM Functions . . . . . . . . . . . . . . . . . . . . . .  51
91	       D.1.1.  Tick-Session and Tick-Stamp . . . . . . . . . . . . .  51
92	       D.1.2.  Platform Configuration Registers (PCRs) . . . . . . .  52
93	       D.1.3.  PCR restricted Keys . . . . . . . . . . . . . . . . .  52
94	       D.1.4.  CertifyInfo . . . . . . . . . . . . . . . . . . . . .  53
95	     D.2.  Protocol and Procedure  . . . . . . . . . . . . . . . . .  53
96	       D.2.1.  AIK and AIK Certificate . . . . . . . . . . . . . . .  53
97	       D.2.2.  Synchronization Token . . . . . . . . . . . . . . . .  54
98	       D.2.3.  RestrictionInfo . . . . . . . . . . . . . . . . . . .  56
99	       D.2.4.  Measurement Log . . . . . . . . . . . . . . . . . . .  58
100	       D.2.5.  Implicit Attestation  . . . . . . . . . . . . . . . .  59
101	       D.2.6.  Attestation Verification Approach . . . . . . . . . .  60
102	   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  62
103	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  62

105	1.  Introduction

107	   Remote attestation describes the attempt to determine and appraise
108	   properties, such as integrity and trustworthiness, of an endpoint --
109	   the attestee -- over a network to another endpoint -- the verifier --
110	   without direct access.  Typically, this kind of assessment is based
111	   on measurements of software components running on the attestee, where
112	   the hash values of all started software components are stored
113	   (extended into) a Trust-Anchor implemented as a Hardware Security
114	   Module (e.g. a Trusted Platform Module or similar) and reported via a
115	   signature over the measurements.

117	1.1.  Remote Attestation

119	   In essence, remote attestation is composed of three activities.  The
120	   following definitions are derived from the definitions presented in
121	   [PRIRA] and [TCGGLOSS].

123	   Attestation:  The creation of a claim about the properties of an
124	      attestee, such that the claim can be used as evidence.

126	   Conveyance:  The transfer of evidence from the attestee to the
127	      verifier.

129	   Verification:  The appraisal of evidence by evaluating it against
130	      declarative guidance.

132	   Protocols that facilitate Trust-Anchor based signatures in order to
133	   provide remote attestation are usually bi-directional challenge/
134	   response protocols, such as the Platform Trust Service protocol [PTS]
135	   or CAVES [PRIRA], where one entity sends a challenge that is included
136	   inside the response to ensure the recentness -- the freshness -- of
137	   the attestation information.  The corresponding interaction model
138	   tightly couples the three activities of creating, transferring and
139	   appraising evidence.

141	   The Time-Based Uni-directional Attestation family of protocols --
142	   TUDA -- described in this document can decouple the three activities
143	   remote attestation is composed of.  As a result, TUDA provides
144	   additional capabilities, such as:

146	   o  remote attestation for attestees that might not always be able to
147	      reach the Internet by enabling the verification of past states,

149	   o  secure audit logs by combining the evidence created via TUDA with
150	      measurement logs that represent a detailed record of corresponding
151	      past states,

153	   o  an uni-directional interaction model that can traverse "diode-
154	      like" network security functions or can be leveraged in RESTful
155	      architectures (e.g.  CoAP [RFC7252]), analogously.

157	1.2.  Attestation and Verification

159	   TUDA is a family of protocols that package results from specific
160	   attestation and verification protocols.  TUDA is currently
161	   instantiated for attestion activity based on a Trusted Platform
162	   Module (TPM [TPM12]), a specific Hardware Security Module (HSM)
163	   providing, e.g., Platform Configuration Registers (PCR), restricted
164	   signing keys, and a source of (relative) time (i.e. a tick-counter).

166	   Both the attestation and the verification activity of TUDA also
167	   require a trusted Time Stamp Authority (TSA) as an additional third
168	   party next to the attestee and the verifier.  The current protocol
169	   instantiaton uses a Time Stamp Authority based on [RFC3161].  The
170	   combination of the local source of time provided by the TPM (located
171	   on the attestee) and the Time Stamp Tokens provided by the TSA (to
172	   both the attestee and the verifier) enable the attestation and
173	   verification of an appropriate freshness of the evidence conveyed by
174	   the attestee -- without requiring a challenge/response interaction
175	   model that uses a nonce to ensure the freshness.

177	   The verification activity also requires declarative guidance
178	   (representing desired or compliant endpoint configuration and state)
179	   evidence conveyed by the attestee can be evaluated against.  The
180	   acquisition or representation of declarative guidance as well as the
181	   corresponding evaluation methods are out of the scope of this
182	   document.

184	1.3.  Information Elements and Conveyance

186	   TUDA defines a set of information elements (IE) that are created or
187	   stored on the attestee and are intended to be transferred to the
188	   verifier in order to enable appraisal.

190	   Each TUDA IE is encoded in the Concise Binary Object Representation
191	   (CBOR [RFC7049]) to minimize the volume of data in motion.  In this
192	   document, the composition of the CBOR data items that represent IE is
193	   described using the CBOR Data Definition Language, CDDL
194	   [I-D.greevenbosch-appsawg-cbor-cddl].

196	   Each TUDA IE that requires a certain freshness is only created/
197	   updated when out-dated, which reduces the overall resources required
198	   from the attestee, including the utilization of the TPM.  The IE that
199	   have to be created are determined by their age or by specific state
200	   changes on the attestee (e.g. state changes due to a reboot-cycle).

202	   Each TUDA IE is only transferred when required, which reduces the
203	   amount of data in motion necessary to conduct remote attestation
204	   significantly.  Only IE that have changed since their last conveyance
205	   have to be transferred.

207	   Each TUDA IE that requires a certain freshness can be reused for
208	   multiple remote attestation procedures in the limits of its
209	   corresponding freshness-window, further reducing the load imposed on
210	   the attestee and its corresponding TPM.

212	1.4.  TUDA Objectives

214	   The Time-Based Uni-directional Attestation family of protocols is
215	   designed to:

217	   o  increase the confidence in authentication and authorization
218	      procedures,

220	   o  address the requirements of constrained-node networks,

222	   o  support interaction models that do not maintain connection-state
223	      over time, such as REST architectures [REST],

225	   o  be able to leverage existing management interfaces, such as SNMP
226	      [RFC3411].  RESTCONF [RFC8040] or CoMI [I-D.ietf-core-comi] -- and
227	      corresponding bindings,

229	   o  support broadcast and multicast schemes (e.g.  [IEEE1609]),

231	   o  be able to cope with temporary loss of connectivity, and to

233	   o  provide trustworthy audit logs of past endpoint states.

235	1.5.  Hardware Dependencies

237	   The binding of the attestation scheme used by TUDA to generate the
238	   TUDA IE is specific to the methods provided by the HSM used.  As a
239	   reference, this document includes pseudo-code that illustrates the
240	   production of TUDA IE using a TPM 1.2 and the corresponding TPM
241	   commands specified in [TPM12] as an example.  The references to TPM
242	   1.2 commands and corresponding pseudo-code only serve as guidance to
243	   enable a better understanding of the attestation scheme and is
244	   intended to encourages the use of any appropriate HSM or equivalent
245	   set of Trust-Zone functions.

247	1.6.  Requirements Notation

249	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
250	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
251	   "OPTIONAL" in this document are to be interpreted as described in RFC
252	   2119, BCP 14 [RFC2119].

254	2.  TUDA Core Concept

256	   There are significant differences between conventional bi-directional
257	   attestation and TUDA regarding both the information elements conveyed
258	   between attestee and verifier and the time-frame, in which an
259	   attestation can be considered to be fresh (and therefore
260	   trustworthy).

262	   In general, remote attestation using a bi-directional communication
263	   scheme includes sending a nonce-challenge within a signed attestation
264	   token.  Using the TPM 1.2 as an example, a corresponding nonce-
265	   challenge would be included within the signature created by the
266	   TPM_Quote command in order to prove the freshness of the attestation
267	   response, see e.g.  [PTS].

269	   In contrast, the TUDA protocol would use a combination output of
270	   TPM_CertifyInfo and TPM_TickStampBlob.  The former provides a proof
271	   about the platform's state by attesting that a certain key is bound
272	   to said state.  The latter provides proof that the platform was in
273	   the specified state by using the bound key in a time operation.  This
274	   combination enables a time-based attestation scheme.  This approach
275	   is based on the concepts introduced in [SCALE] and [SFKE2008].

277	   The payload of information elements transmitted is based on different
278	   methods, because the time-frame, in which an attestation is
279	   considered to be fresh (and therefore trustworthy), is defined
280	   differently.

282	   The freshness properties of a challenge-response based protocol
283	   define the point-of-time of attestation between:

285	   o  the time of transmission of the nonce, and

287	   o  the reception of the response
288	   Given the time-based attestation scheme, the freshness property of
289	   TUDA is equivalent to that of bi-directional challenge response
290	   attestation, if the point-in-time of attestation lies between:

292	   o  the transmission of a TUDA time-synchronization token, and

294	   o  the typical round-trip time between the verifier and the attestee,

296	   The accuracy of this time-frame is defined by two factors:

298	   o  the time-synchronization between the attestee and the TSA.  The
299	      time between the two TPM tickstamps give the maximum drift (left
300	      and right) to the TSA timestamp, and

302	   o  the drift of local TPM clocks.

304	   Since TUDA attestations do not rely upon a verifier provided value
305	   (i.e. the nonce), the security guarantees of the protocol only
306	   incorporate the TSA and the TPM.  As a consequence TUDA attestations
307	   can even serve as proof of integrity in audit logs with point in time
308	   guarantees, in contrast to classical attestations.

310	   Appendix A contains guidance on how to utilize a REST architecture.

312	   Appendix B contains guidance on how to create an SNMP binding and a
313	   corresponding TUDA-MIB.

315	   Appendix C contains a corrresponding YANG module that supports both
316	   RESTCONF and CoMI.

318	   Appendix D contains a realization of TUDA using TPM 1.2 primitives.
319	   A realization of TUDA using TPM 2.0 primitives will be added with the
320	   next iteration of this document.

322	2.1.  Terminology

324	   This document introduces roles, information elements and types
325	   required to conduct TUDA and uses terminology (e.g. specific
326	   certificate names) typically seen in the context of attestation or
327	   hardware security modules.

329	2.1.1.  Universal Terms

331	   Attestation Identity Key (AIK):  a special purpose signature
332	      (therefore asymmetric) key that supports identity related
333	      operations.  The private portion of the key pair is maintained
334	      confidential to the entity via appropriate measures (that have an
335	      impact on the scope of confidence).  The public portion of the key
336	      pair may be included in AIK credentials that provide a claim about
337	      the entity.

339	   Claim:  an attribute value pair that is intended to be related to a
340	      statement [I-D.ietf-sacm-terminology].

342	   Endpoint Attestation:  the creation of evidence on the attestee that
343	      provides proof of a set of the endpoints's integrity measurements.
344	      This is done by digitally signing a set of PCRs using an AIK in
345	      the TPM.

347	   Endpoint Characteristics:  the composition, configuration and state
348	      of an endpoint.

350	   Evidence:  a trustworthy set of claims about an endpoint's
351	      characteristics.

353	   Identity:  a set of claims that is intended to be related to an
354	      entity.

356	   Integrity Measurements:  Metrics of endpoint characteristics (i.e.
357	      composition, configuration and state) that affect the confidence
358	      in the trustworthiness of an endpoint.  Digests of integrity
359	      measurements can be stored in shielded locations (i.e.  PCR of a
360	      TPM).

362	   Reference Integrity Measurements:  Signed measurements about the
363	      characteristics of an endpoint's characteristics that are provided
364	      by a vendor and are intended to be used as declarative guidance
365	      [I-D.ietf-sacm-terminology] (e.g. a signed CoSWID).

367	   Trustworthy:  the qualities of an endpoint that guarantee a specific
368	      behavior and/or endpoint characteristics defined by declarative
369	      guidance.  Analogously, trustworthiness is the quality of being
370	      trustworthy with respect to declarative guidance.  Trustworthiness
371	      is not an absolute property but defined with respect to an entity,
372	      corresponding declarative guidance, and has a scope of confidence.

374	      Trustworthy Endpoint: an endpoint that guarantees trustworthy
375	      behavior and/or composition (with respect to certain declarative
376	      guidance and a scope of confidence).

378	      Trustworthy Statement: evidence that is trustworthy conveyed by an
379	      endpoint that is not necessarily trustworthy.

381	2.1.2.  Roles

383	   Attestee:  the endpoint that is the subject of the attestation to
384	      another endpoint.

386	   Verifier:  the endpoint that consumes the attestation of another
387	      endpoint to conduct a verification.

389	   TSA:  a Time Stamp Authority [RFC3161]

391	2.1.3.  General Types

393	   Byte:  the now customary synonym for octet

395	   Cert:  an X.509 certificate represented as a byte-string

397	2.1.4.  TPM-Specific Terms

399	   PCR:  a Platform Configuration Register that is part of a TPM and is
400	      used to securely store and report measurements about security
401	      posture

403	   PCR-Hash:  a hash value of the security posture measurements stored
404	      in a TPM PCR (e.g. regarding running software instances)
405	      represented as a byte-string

407	2.1.5.  Certificates

409	   TSA-CA:  the Certificate Authority that provides the certificate for
410	      the TSA represented as a Cert

412	   AIK-CA:  the Certificate Authority that provides the certificate for
413	      the attestation identity key of the TPM.  This is the client
414	      platform credential for this protocol.  It is a placeholder for a
415	      specific CA and AIK-Cert is a placeholder for the corresponding
416	      certificate, depending on what protocol was used.  The specific
417	      protocols are out of scope for this document, see also
418	      [AIK-Enrollment] and [IEEE802.1AR].

420	3.  Time-Based Uni-Directional Attestation

422	   A Time-Based Uni-Directional Attestation (TUDA) consists of the
423	   following seven information elements.  They are used to gain
424	   assurance of the Attestee's platform configuration at a certain point
425	   in time:

427	   TSA Certificate:  The certificate of the Time Stamp Authority that is
428	      used in a subsequent synchronization protocol token.  This
429	      certificate is signed by the TSA-CA.

431	   AIK Certificate:  A certificate about the Attestation Identity Key
432	      (AIK) used.  This may or may not also be an [IEEE802.1AR] IDevID
433	      or LDevID, depending on their setting of the corresponding
434	      identity property.  ([AIK-Credential], [AIK-Enrollment]; see
435	      Appendix D.2.1.)

437	   Synchronization Token:  The reference for Attestations are the Tick-
438	      Sessions of the TPM.  In order to put Attestations into relation
439	      with a Real Time Clock (RTC), it is necessary to provide a
440	      cryptographic synchronization between the tick session and the
441	      RTC.  To do so, a synchronization protocol is run with a Time
442	      Stamp Authority (TSA).

444	   Restriction Info:  The attestation relies on the capability of the
445	      TPM to operate on restricted keys.  Whenever the PCR values for
446	      the machine to be attested change, a new restricted key is created
447	      that can only be operated as long as the PCRs remain in their
448	      current state.

450	      In order to prove to the Verifier that this restricted temporary
451	      key actually has these properties and also to provide the PCR
452	      value that it is restricted, the TPM command TPM_CertifyInfo is
453	      used.  It creates a signed certificate using the AIK about the
454	      newly created restricted key.

456	   Measurement Log:  Similarly to regular attestations, the Verifier
457	      needs a way to reconstruct the PCRs' values in order to estimate
458	      the trustworthiness of the device.  As such, a list of those
459	      elements that were extended into the PCRs is reported.  Note
460	      though that for certain environments, this step may be optional if
461	      a list of valid PCR configurations exists and no measurement log
462	      is required.

464	   Implicit Attestation:  The actual attestation is then based upon a
465	      TPM_TickStampBlob operation using the restricted temporary key
466	      that was certified in the steps above.  The TPM_TickStampBlob is
467	      executed and thereby provides evidence that at this point in time
468	      (with respect to the TPM internal tick-session) a certain
469	      configuration existed (namely the PCR values associated with the
470	      restricted key).  Together with the synchronization token this
471	      tick-related timing can then be related to the real-time clock.

473	   Concise SWID tags:  As an option to better assess the trustworthiness
474	      of an Attestee, a Verifier can request the reference hashes (often
475	      referred to as golden measurements) of all started software
476	      components to compare them with the entries in the measurement
477	      log.  References hashes regarding installed (and therefore
478	      running) software can be provided by the manufacturer via SWID
479	      tags.  SWID tags are provided by the Attestee using the Concise
480	      SWID representation [I-D.ietf-sacm-coswid] and bundled into a CBOR
481	      array.  Ideally, the reference hashes include a signature created
482	      by the manufacturer of the software.

484	   These information elements could be sent en bloc, but it is
485	   recommended to retrieve them separately to save bandwidth, since
486	   these elements have different update cycles.  In most cases,
487	   retransmitting all seven information elements would result in
488	   unnecessary redundancy.

490	   Furthermore, in some scenarios it might be feasible not to store all
491	   elements on the Attestee endpoint, but instead they could be
492	   retrieved from another location or pre-deployed to the Verifier.  It
493	   is also feasible to only store public keys at the Verifier and skip
494	   the whole certificate provisioning completely in order to save
495	   bandwidth and computation time for certificate verification.

497	3.1.  TUDA Information Elements Update Cycles

499	   An endpoint can be in various states and have various information
500	   associated with it during its life cycle.  For TUDA, a subset of the
501	   states (which can include associated information) that an endpoint
502	   and its TPM can be in, is important to the attestation process.

504	   o  Some states are persistent, even after reboot.  This includes
505	      certificates that are associated with the endpoint itself or with
506	      services it relies on.

508	   o  Some states are more volatile and change at the beginning of each
509	      boot cycle.  This includes the TPM-internal Tick-Session which
510	      provides the basis for the synchronization token and implicit
511	      attestation.

513	   o  Some states are even more volatile and change during an uptime
514	      cycle (the period of time an endpoint is powered on, starting with
515	      its boot).  This includes the content of PCRs of a TPM and thereby
516	      also the PCR-restricted keys used during attestation.

518	   Depending on this "lifetime of state", data has to be transported
519	   over the wire, or not.  E.g. information that does not change due to
520	   a reboot typically has to be transported only once between the
521	   Attestee and the Verifier.

523	   There are three kinds of events that require a renewed attestation:

525	   o  The Attestee completes a boot-cycle

527	   o  A relevant PCR changes

529	   o  Too much time has passed since the last attestation statement

531	   The third event listed above is variable per application use case and
532	   can therefore be set appropriately.  For usage scenarios, in which
533	   the device would periodically push information to be used in an
534	   audit-log, a time-frame of approximately one update per minute should
535	   be sufficient in most cases.  For those usage scenarios, where
536	   verifiers request (pull) a fresh attestation statement, an
537	   implementation could use the TPM continuously to always present the
538	   most freshly created results.  To save some utilization of the TPM
539	   for other purposes, however, a time-frame of once per ten seconds is
540	   recommended, which would leave 80% of utilization for applications.

542	   Attestee                                                 Verifier
543	      |                                                         |
544	    Boot                                                        |
545	      |                                                         |
546	    Create Sync-Token                                           |
547	      |                                                         |
548	    Create Restricted Key                                       |
549	    Certify Restricted Key                                      |
550	      |                                                         |
551	      | AIK-Cert ---------------------------------------------> |
552	      | Sync-Token -------------------------------------------> |
553	      | Certify-Info -----------------------------------------> |
554	      | Measurement Log --------------------------------------> |
555	      | Attestation ------------------------------------------> |
556	      |                                           Verify Attestation
557	      |                                                         |
558	      |       <Time Passed>                                     |
559	      |                                                         |
560	      | Attestation ------------------------------------------> |
561	      |                                           Verify Attestation
562	      |                                                         |
563	      |       <Time Passed>                                     |
564	      |                                                         |
565	    PCR-Change                                                  |
566	      |                                                         |
567	    Create Restricted Key                                       |
568	    Certify Restricted Key                                      |
569	      |                                                         |
570	      | Certify-Info -----------------------------------------> |
571	      | Measurement Log --------------------------------------> |
572	      | Attestation ------------------------------------------> |
573	      |                                           Verify Attestation
574	      |                                                         |
575	    Boot                                                        |
576	      |                                                         |
577	    Create Sync-Token                                           |
578	      |                                                         |
579	    Create Restricted Key                                       |
580	    Certify Restricted Key                                      |
581	      |                                                         |
582	      | Sync-Token -------------------------------------------> |
583	      | Certify-Info -----------------------------------------> |
584	      | Measurement Log --------------------------------------> |
585	      | Attestation ------------------------------------------> |
586	      |                                           Verify Attestation
587	      |                                                         |
588	      |       <Time Passed>                                     |
589	      |                                                         |
590	      | Attestation ------------------------------------------> |
591	      |                                           Verify Attestation
592	      |                                                         |

594	                   Figure 1: Example sequence of events

596	4.  Sync Base Protocol

598	   The uni-directional approach of TUDA requires evidence on how the TPM
599	   time represented in ticks (relative time since boot of the TPM)
600	   relates to the standard time provided by the TSA.  The Sync Base
601	   Protocol (SBP) creates evidence that binds the TPM tick time to the
602	   TSA timestamp.  The binding information is used by and conveyed via
603	   the Sync Token (TUDA IE).  There are three actions required to create
604	   the content of a Sync Token:

606	   o  At a given point in time (called left), a tickstamp counter value
607	      is acquired from the TPM that is also signed by the TPM.  The hash
608	      of counter and signature is used as a nonce in the request
609	      directed at the TSA.

611	   o  The corresponding response includes a data-structure incorporating
612	      the timestamp and its signature created by the TSA.

614	   o  At the point in time the response arrives (right), a signed
615	      tickstamp counter value is acquired from the TPM again, using a
616	      hash of the signed TSA timestamp as a nonce.

618	   The three time-related values -- TPM tick counters (left and right)
619	   and the TSA timestamp -- and their corresponding signatures are
620	   aggregated in order to create a corresponding Sync Token to be used
621	   as a TUDA Information Element that can be conveyed as evidence to a
622	   verifier.

624	   The drift of a TPM clock that drives the increments of the tick
625	   counter constitutes one of the triggers that can initiate a TUDA
626	   Information Element Update Cycle in respect to the freshness of the
627	   available Sync Token.  The following functions illustrate the worst
628	   case freshness-window assuming the maximum drift of TPM tick counters
629	   that is considered acceptable in respect to the standard time -- 15
630	   percent -- as defined by the TPM specification:

632	   content TBD

634	5.  IANA Considerations

636	   This memo includes requests to IANA, including registrations for
637	   media type definitions.

639	   TBD

641	6.  Security Considerations

643	   There are Security Considerations.  TBD

645	7.  Change Log

647	   Changes from version 03 to version 04:

649	   o  Refactoring of Introduction, intend, scope and audience

651	   o  Added first draft of Sync Base Prootol section illustrated
652	      background for interaction with TSA

654	   o  Added YANG module

656	   o  Added missing changelog entry

658	   Changes from version 02 to version 03:

660	   o  Moved base concept out of Introduction

662	   o  First refactoring of Inttroduction and Concept

664	   o  Firrst restructuring of Appendices and improved references
665	   Changes from version 01 to version 02:

667	   o  Restructuring of Introduction, highlighting conceptual
668	      prerequisites

670	   o  Restructuring of Concept to better illustrate differences to hand-
671	      shake based attestation and deciding factors regarding freshness
672	      properties

674	   o  Subsection structure added to Terminology

676	   o  Clarification of descriptions of approach (these were the FIXMEs)

678	   o  Correction of RestrictionInfo structure: Added missing signature
679	      member

681	   Changes from version 00 to version 01:

683	   Major update to the SNMP MIB and added a table for the Concise SWID
684	   profile Reference Hashes that provides additional information to be
685	   compared with the measurement logs.

687	8.  Contributors

689	   TBD

691	9.  References

693	9.1.  Normative References

695	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
696	              Requirement Levels", BCP 14, RFC 2119,
697	              DOI 10.17487/RFC2119, March 1997,
698	              <http://www.rfc-editor.org/info/rfc2119>.

700	9.2.  Informative References

702	   [AIK-Credential]
703	              TCG Infrastructure Working Group, "TCG Credential
704	              Profile", 2007, <https://www.trustedcomputinggroup.org/wp-
705	              content/uploads/IWG-Credential_Profiles_V1_R1_14.pdf>.

707	   [AIK-Enrollment]
708	              TCG Infrastructure Working Group, "A CMC Profile for AIK
709	              Certificate Enrollment", 2011,
710	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
711	              IWG_CMC_Profile_Cert_Enrollment_v1_r7.pdf>.

713	   [I-D.greevenbosch-appsawg-cbor-cddl]
714	              Vigano, C. and H. Birkholz, "CBOR data definition language
715	              (CDDL): a notational convention to express CBOR data
716	              structures", draft-greevenbosch-appsawg-cbor-cddl-09 (work
717	              in progress), September 2016.

719	   [I-D.ietf-core-comi]
720	              Stok, P., Bierman, A., Veillette, M., and A. Pelov, "CoAP
721	              Management Interface", draft-ietf-core-comi-00 (work in
722	              progress), January 2017.

724	   [I-D.ietf-sacm-coswid]
725	              Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D.
726	              Waltermire, "Concise Software Identifiers", draft-ietf-
727	              sacm-coswid-01 (work in progress), February 2017.

729	   [I-D.ietf-sacm-terminology]
730	              Birkholz, H., Lu, J., Strassner, J., and N. Cam-Winget,
731	              "Secure Automation and Continuous Monitoring (SACM)
732	              Terminology", draft-ietf-sacm-terminology-11 (work in
733	              progress), September 2016.

735	   [IEEE1609]
736	              IEEE Computer Society, "1609.4-2016 - IEEE Standard for
737	              Wireless Access in Vehicular Environments (WAVE) -- Multi-
738	              Channel Operation", IEEE Std 1609.4, 2016.

740	   [IEEE802.1AR]
741	              IEEE Computer Society, "802.1AR-2009 - IEEE Standard for
742	              Local and metropolitan area networks - Secure Device
743	              Identity", IEEE Std 802.1AR, 2009.

745	   [PRIRA]    Coker, G., Guttman, J., Loscocco, P., Herzog, A., Millen,
746	              J., O'Hanlon, B., Ramsdell, J., Segall, A., Sheehy, J.,
747	              and B. Sniffen, "Principles of Remote Attestation",
748	              Springer International Journal of Information Security,
749	              Vol. 10, pp. 63-81, DOI 10.1007/s10207-011-0124-7, April
750	              2011.

752	   [PTS]      TCG TNC Working Group, "TCG Attestation PTS Protocol
753	              Binding to TNC IF-M", 2011,
754	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
755	              IFM_PTS_v1_0_r28.pdf>.

757	   [REST]     Fielding, R., "Architectural Styles and the Design of
758	              Network-based Software Architectures", Ph.D. Dissertation,
759	              University of California, Irvine, 2000,
760	              <http://www.ics.uci.edu/~fielding/pubs/dissertation/
761	              fielding_dissertation.pdf>.

763	   [RFC1213]  McCloghrie, K. and M. Rose, "Management Information Base
764	              for Network Management of TCP/IP-based internets: MIB-II",
765	              STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991,
766	              <http://www.rfc-editor.org/info/rfc1213>.

768	   [RFC2790]  Waldbusser, S. and P. Grillo, "Host Resources MIB",
769	              RFC 2790, DOI 10.17487/RFC2790, March 2000,
770	              <http://www.rfc-editor.org/info/rfc2790>.

772	   [RFC3161]  Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
773	              "Internet X.509 Public Key Infrastructure Time-Stamp
774	              Protocol (TSP)", RFC 3161, DOI 10.17487/RFC3161, August
775	              2001, <http://www.rfc-editor.org/info/rfc3161>.

777	   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
778	              Architecture for Describing Simple Network Management
779	              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
780	              DOI 10.17487/RFC3411, December 2002,
781	              <http://www.rfc-editor.org/info/rfc3411>.

783	   [RFC3418]  Presuhn, R., Ed., "Management Information Base (MIB) for
784	              the Simple Network Management Protocol (SNMP)", STD 62,
785	              RFC 3418, DOI 10.17487/RFC3418, December 2002,
786	              <http://www.rfc-editor.org/info/rfc3418>.

788	   [RFC6690]  Shelby, Z., "Constrained RESTful Environments (CoRE) Link
789	              Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
790	              <http://www.rfc-editor.org/info/rfc6690>.

792	   [RFC6933]  Bierman, A., Romascanu, D., Quittek, J., and M.
793	              Chandramouli, "Entity MIB (Version 4)", RFC 6933,
794	              DOI 10.17487/RFC6933, May 2013,
795	              <http://www.rfc-editor.org/info/rfc6933>.

797	   [RFC7049]  Bormann, C. and P. Hoffman, "Concise Binary Object
798	              Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
799	              October 2013, <http://www.rfc-editor.org/info/rfc7049>.

801	   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
802	              Protocol (HTTP/1.1): Message Syntax and Routing",
803	              RFC 7230, DOI 10.17487/RFC7230, June 2014,
804	              <http://www.rfc-editor.org/info/rfc7230>.

806	   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
807	              Application Protocol (CoAP)", RFC 7252,
808	              DOI 10.17487/RFC7252, June 2014,
809	              <http://www.rfc-editor.org/info/rfc7252>.

811	   [RFC7320]  Nottingham, M., "URI Design and Ownership", BCP 190,
812	              RFC 7320, DOI 10.17487/RFC7320, July 2014,
813	              <http://www.rfc-editor.org/info/rfc7320>.

815	   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
816	              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
817	              DOI 10.17487/RFC7540, May 2015,
818	              <http://www.rfc-editor.org/info/rfc7540>.

820	   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
821	              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
822	              <http://www.rfc-editor.org/info/rfc8040>.

824	   [SCALE]    Fuchs, A., "Improving Scalability for Remote Attestation",
825	              Master Thesis (Diplomarbeit), Technische Universitaet
826	              Darmstadt, Germany, 2008.

828	   [SFKE2008]
829	              Stumpf, F., Fuchs, A., Katzenbeisser, S., and C. Eckert,
830	              "Improving the scalability of platform attestation",
831	              ACM Proceedings of the 3rd ACM workshop on Scalable
832	              trusted computing - STC '08 , page 1-10,
833	              DOI 10.1145/1456455.1456457, 2008.

835	   [STD62]    "Internet Standard 62", STD 62, RFCs 3411 to 3418,
836	              December 2002.

838	   [TCGGLOSS]
839	              TCG, "TCG Glossary", 2012,
840	              <https://www.trustedcomputinggroup.org/wp-content/uploads/
841	              TCG_Glossary_Board-Approved_12.13.2012.pdf>.

843	   [TPM12]    "Information technology -- Trusted Platform Module -- Part
844	              1: Overview", ISO/IEC 11889-1, 2009.

846	Appendix A.  REST Realization

848	   Each of the seven data items is defined as a media type (Section 5).
849	   Representations of resources for each of these media types can be
850	   retrieved from URIs that are defined by the respective servers
851	   [RFC7320].  As can be derived from the URI, the actual retrieval is
852	   via one of the HTTPs ([RFC7230], [RFC7540]) or CoAP [RFC7252].  How a
853	   client obtains these URIs is dependent on the application; e.g., CoRE
854	   Web links [RFC6690] can be used to obtain the relevant URIs from the
855	   self-description of a server, or they could be prescribed by a
856	   RESTCONF data model [RFC8040].

858	Appendix B.  SNMP Realization

860	   SNMPv3 [STD62] [RFC3411] is widely available on computers and also
861	   constrained devices.  To transport the TUDA information elements, an
862	   SNMP MIB is defined below which encodes each of the seven TUDA
863	   information elements into a table.  Each row in a table contains a
864	   single read-only columnar SNMP object of datatype OCTET-STRING.  The
865	   values of a set of rows in each table can be concatenated to
866	   reconstitute a CBOR-encoded TUDA information element.  The Verifier
867	   can retrieve the values for each CBOR fragment by using SNMP GetNext
868	   requests to "walk" each table and can decode each of the CBOR-encoded
869	   data items based on the corresponding CDDL
870	   [I-D.greevenbosch-appsawg-cbor-cddl] definition.

872	   Design Principles:

874	   1.  Over time, TUDA attestation values age and should no longer be
875	       used.  Every table in the TUDA MIB has a primary index with the
876	       value of a separate scalar cycle counter object that
877	       disambiguates the transition from one attestation cycle to the
878	       next.

880	   2.  Over time, the measurement log information (for example) may grow
881	       large.  Therefore, read-only cycle counter scalar objects in all
882	       TUDA MIB object groups facilitate more efficient access with SNMP
883	       GetNext requests.

885	   3.  Notifications are supported by an SNMP trap definition with all
886	       of the cycle counters as bindings, to alert a Verifier that a new
887	       attestation cycle has occurred (e.g., synchronization data,
888	       measurement log, etc. have been updated by adding new rows and
889	       possibly deleting old rows).

891	B.1.  Structure of TUDA MIB

893	   The following table summarizes the object groups, tables and their
894	   indexes, and conformance requirements for the TUDA MIB:

896	   |-------------|-------|----------|----------|----------|
897	   | Group/Table | Cycle | Instance | Fragment | Required |
898	   |-------------|-------|----------|----------|----------|
899	   | General     |       |          |          | x        |
900	   | AIKCert     | x     | x        | x        |          |
901	   | TSACert     | x     | x        | x        |          |
902	   | SyncToken   | x     |          | x        | x        |
903	   | Restrict    | x     |          |          | x        |
904	   | Measure     | x     | x        |          |          |
905	   | VerifyToken | x     |          |          | x        |
906	   | SWIDTag     | x     | x        | x        |          |
907	   |-------------|-------|----------|----------|----------|

909	B.1.1.  Cycle Index

911	   A tudaV1<Group>CycleIndex is the:

913	   1.  first index of a row (element instance or element fragment) in
914	       the tudaV1<Group>Table;

916	   2.  identifier of an update cycle on the table, when rows were added
917	       and/or deleted from the table (bounded by tudaV1<Group>Cycles);
918	       and

920	   3.  binding in the tudaV1TrapV2Cycles notification for directed
921	       polling.

923	B.1.2.  Instance Index

925	   A tudaV1<Group>InstanceIndex is the:

927	   1.  second index of a row (element instance or element fragment) in
928	       the tudaV1<Group>Table; except for

930	   2.  a row in the tudaV1SyncTokenTable (that has only one instance per
931	       cycle).

933	B.1.3.  Fragment Index

935	   A tudaV1<Group>FragmentIndex is the:

937	   1.  last index of a row (always an element fragment) in the
938	       tudaV1<Group>Table; and

940	   2.  accomodation for SNMP transport mapping restrictions for large
941	       string elements that require fragmentation.

943	B.2.  Relationship to Host Resources MIB

945	   The General group in the TUDA MIB is analogous to the System group in
946	   the Host Resources MIB [RFC2790] and provides context information for
947	   the TUDA attestation process.

949	   The Verify Token group in the TUDA MIB is analogous to the Device
950	   group in the Host MIB and represents the verifiable state of a TPM
951	   device and its associated system.

953	   The SWID Tag group (containing a Concise SWID reference hash profile
954	   [I-D.ietf-sacm-coswid]) in the TUDA MIB is analogous to the Software
955	   Installed and Software Running groups in the Host Resources MIB
956	   [RFC2790].

958	B.3.  Relationship to Entity MIB

960	   The General group in the TUDA MIB is analogous to the Entity General
961	   group in the Entity MIB v4 [RFC6933] and provides context information
962	   for the TUDA attestation process.

964	   The SWID Tag group in the TUDA MIB is analogous to the Entity Logical
965	   group in the Entity MIB v4 [RFC6933].

967	B.4.  Relationship to Other MIBs

969	   The General group in the TUDA MIB is analogous to the System group in
970	   MIB-II [RFC1213] and the System group in the SNMPv2 MIB [RFC3418] and
971	   provides context information for the TUDA attestation process.

973	B.5.  Definition of TUDA MIB

975	   <CODE BEGINS>
976	   TUDA-V1-ATTESTATION-MIB DEFINITIONS ::= BEGIN

978	   IMPORTS
979	       MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32,
980	       enterprises, NOTIFICATION-TYPE
981	           FROM SNMPv2-SMI                 -- RFC 2578
982	       MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
983	           FROM SNMPv2-CONF                -- RFC 2580
984	       SnmpAdminString
985	           FROM SNMP-FRAMEWORK-MIB;        -- RFC 3411

987	   tudaV1MIB MODULE-IDENTITY
988	       LAST-UPDATED    "201701090000Z" -- 09 Januar 2017
989	       ORGANIZATION
990	           "Fraunhofer SIT"

992	       CONTACT-INFO
993	           "Andreas Fuchs
994	           Fraunhofer Institute for Secure Information Technology
995	           Email: andreas.fuchs@sit.fraunhofer.de

997	           Henk Birkholz
998	           Fraunhofer Institute for Secure Information Technology
999	           Email: henk.birkholz@sit.fraunhofer.de

1001	           Ira E McDonald
1002	           High North Inc
1003	           Email: blueroofmusic@gmail.com

1005	           Carsten Bormann
1006	           Universitaet Bremen TZI
1007	           Email: cabo@tzi.org"

1009	       DESCRIPTION
1010	           "The MIB module for monitoring of time-based unidirectional
1011	           attestation information from a network endpoint system,
1012	           based on the Trusted Computing Group TPM 1.2 definition.

1014	           Copyright (C) High North Inc (2017)."

1016	       REVISION "201701090000Z" -- 09 January 2017
1017	           DESCRIPTION
1018	           "Fourth version, published as draft-birkholz-tuda-03."

1020	       REVISION "201607080000Z" -- 08 July 2016
1021	       DESCRIPTION
1022	           "Third version, published as draft-birkholz-tuda-02."

1024	       REVISION "201603210000Z" -- 21 March 2016
1025	       DESCRIPTION
1026	           "Second version, published as draft-birkholz-tuda-01."

1028	       REVISION "201510180000Z" -- 18 October 2015
1029	       DESCRIPTION
1030	           "Initial version, published as draft-birkholz-tuda-00."

1032	           ::= { enterprises fraunhofersit(21616) mibs(1) tudaV1MIB(1) }

1034	   tudaV1MIBNotifications      OBJECT IDENTIFIER ::= { tudaV1MIB 0 }
1035	   tudaV1MIBObjects            OBJECT IDENTIFIER ::= { tudaV1MIB 1 }
1036	   tudaV1MIBConformance        OBJECT IDENTIFIER ::= { tudaV1MIB 2 }

1038	   --
1039	   --  General
1040	   --
1041	   tudaV1General           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 1 }

1043	   tudaV1GeneralCycles OBJECT-TYPE
1044	       SYNTAX      Counter32
1045	       MAX-ACCESS  read-only
1046	       STATUS      current
1047	       DESCRIPTION
1048	           "Count of TUDA update cycles that have occurred, i.e.,
1049	           sum of all the individual group cycle counters.

1051	           DEFVAL intentionally omitted - counter object."
1052	       ::= { tudaV1General 1 }

1054	   tudaV1GeneralVersionInfo OBJECT-TYPE
1055	       SYNTAX      SnmpAdminString (SIZE(0..255))
1056	       MAX-ACCESS  read-only
1057	       STATUS      current
1058	       DESCRIPTION
1059	           "Version information for TUDA MIB, e.g., specific release
1060	           version of TPM 1.2 base specification and release version
1061	           of TPM 1.2 errata specification and manufacturer and model
1062	           TPM module itself."
1063	       DEFVAL      { "" }
1064	       ::= { tudaV1General 2 }

1066	   --
1067	   --  AIK Cert
1068	   --
1069	   tudaV1AIKCert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 2 }

1071	   tudaV1AIKCertCycles OBJECT-TYPE
1072	       SYNTAX      Counter32
1073	       MAX-ACCESS  read-only
1074	       STATUS      current
1075	       DESCRIPTION
1076	           "Count of AIK Certificate chain update cycles that have
1077	           occurred.

1079	           DEFVAL intentionally omitted - counter object."
1080	       ::= { tudaV1AIKCert 1 }

1082	   tudaV1AIKCertTable OBJECT-TYPE
1083	       SYNTAX      SEQUENCE OF TudaV1AIKCertEntry
1084	       MAX-ACCESS  not-accessible
1085	       STATUS      current
1086	       DESCRIPTION
1087	           "A table of fragments of AIK Certificate data."

1089	       ::= { tudaV1AIKCert 2 }

1091	   tudaV1AIKCertEntry OBJECT-TYPE
1092	       SYNTAX      TudaV1AIKCertEntry
1093	       MAX-ACCESS  not-accessible
1094	       STATUS      current
1095	       DESCRIPTION
1096	           "An entry for one fragment of AIK Certificate data."
1097	       INDEX       { tudaV1AIKCertCycleIndex,
1098	                     tudaV1AIKCertInstanceIndex,
1099	                     tudaV1AIKCertFragmentIndex }
1100	       ::= { tudaV1AIKCertTable 1 }

1102	   TudaV1AIKCertEntry ::=
1103	       SEQUENCE {
1104	           tudaV1AIKCertCycleIndex         Integer32,
1105	           tudaV1AIKCertInstanceIndex      Integer32,
1106	           tudaV1AIKCertFragmentIndex      Integer32,
1107	           tudaV1AIKCertData               OCTET STRING
1108	       }

1110	   tudaV1AIKCertCycleIndex OBJECT-TYPE
1111	       SYNTAX      Integer32 (1..2147483647)
1112	       MAX-ACCESS  not-accessible
1113	       STATUS      current
1114	       DESCRIPTION
1115	           "High-order index of this AIK Certificate fragment.
1116	           Index of an AIK Certificate chain update cycle that has
1117	           occurred (bounded by the value of tudaV1AIKCertCycles).

1119	           DEFVAL intentionally omitted - index object."
1120	       ::= { tudaV1AIKCertEntry 1 }

1122	   tudaV1AIKCertInstanceIndex OBJECT-TYPE
1123	       SYNTAX      Integer32 (1..2147483647)
1124	       MAX-ACCESS  not-accessible
1125	       STATUS      current
1126	       DESCRIPTION
1127	           "Middle index of this AIK Certificate fragment.
1128	           Ordinal of this AIK Certificate in this chain, where the AIK
1129	           Certificate itself has an ordinal of '1' and higher ordinals
1130	           go *up* the certificate chain to the Root CA.

1132	           DEFVAL intentionally omitted - index object."
1133	       ::= { tudaV1AIKCertEntry 2 }

1135	   tudaV1AIKCertFragmentIndex OBJECT-TYPE
1136	       SYNTAX      Integer32 (1..2147483647)
1137	       MAX-ACCESS  not-accessible
1138	       STATUS      current
1139	       DESCRIPTION
1140	           "Low-order index of this AIK Certificate fragment.

1142	           DEFVAL intentionally omitted - index object."
1143	       ::= { tudaV1AIKCertEntry 3 }

1145	   tudaV1AIKCertData OBJECT-TYPE
1146	       SYNTAX      OCTET STRING (SIZE(0..1024))
1147	       MAX-ACCESS  read-only
1148	       STATUS      current
1149	       DESCRIPTION
1150	           "A fragment of CBOR encoded AIK Certificate data."
1151	       DEFVAL      { "" }
1152	       ::= { tudaV1AIKCertEntry 4 }

1154	   --
1155	   --  TSA Cert
1156	   --
1157	   tudaV1TSACert           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 3 }

1159	   tudaV1TSACertCycles OBJECT-TYPE
1160	       SYNTAX      Counter32
1161	       MAX-ACCESS  read-only
1162	       STATUS      current
1163	       DESCRIPTION
1164	           "Count of TSA Certificate chain update cycles that have
1165	           occurred.

1167	           DEFVAL intentionally omitted - counter object."
1168	       ::= { tudaV1TSACert 1 }

1170	   tudaV1TSACertTable OBJECT-TYPE
1171	       SYNTAX      SEQUENCE OF TudaV1TSACertEntry
1172	       MAX-ACCESS  not-accessible
1173	       STATUS      current
1174	       DESCRIPTION
1175	           "A table of fragments of TSA Certificate data."
1176	       ::= { tudaV1TSACert 2 }

1178	   tudaV1TSACertEntry OBJECT-TYPE
1179	       SYNTAX      TudaV1TSACertEntry
1180	       MAX-ACCESS  not-accessible
1181	       STATUS      current
1182	       DESCRIPTION
1183	           "An entry for one fragment of TSA Certificate data."
1184	       INDEX       { tudaV1TSACertCycleIndex,
1185	                     tudaV1TSACertInstanceIndex,
1186	                     tudaV1TSACertFragmentIndex }
1187	       ::= { tudaV1TSACertTable 1 }

1189	   TudaV1TSACertEntry ::=
1190	       SEQUENCE {
1191	           tudaV1TSACertCycleIndex         Integer32,
1192	           tudaV1TSACertInstanceIndex      Integer32,
1193	           tudaV1TSACertFragmentIndex      Integer32,
1194	           tudaV1TSACertData               OCTET STRING
1195	       }

1197	   tudaV1TSACertCycleIndex OBJECT-TYPE
1198	       SYNTAX      Integer32 (1..2147483647)
1199	       MAX-ACCESS  not-accessible
1200	       STATUS      current
1201	       DESCRIPTION
1202	           "High-order index of this TSA Certificate fragment.
1203	           Index of a TSA Certificate chain update cycle that has
1204	           occurred (bounded by the value of tudaV1TSACertCycles).

1206	           DEFVAL intentionally omitted - index object."
1207	       ::= { tudaV1TSACertEntry 1 }

1209	   tudaV1TSACertInstanceIndex OBJECT-TYPE
1210	       SYNTAX      Integer32 (1..2147483647)
1211	       MAX-ACCESS  not-accessible
1212	       STATUS      current
1213	       DESCRIPTION
1214	           "Middle index of this TSA Certificate fragment.
1215	           Ordinal of this TSA Certificate in this chain, where the TSA
1216	           Certificate itself has an ordinal of '1' and higher ordinals
1217	           go *up* the certificate chain to the Root CA.

1219	           DEFVAL intentionally omitted - index object."
1220	       ::= { tudaV1TSACertEntry 2 }

1222	   tudaV1TSACertFragmentIndex OBJECT-TYPE
1223	       SYNTAX      Integer32 (1..2147483647)
1224	       MAX-ACCESS  not-accessible
1225	       STATUS      current
1226	       DESCRIPTION
1227	           "Low-order index of this TSA Certificate fragment.

1229	           DEFVAL intentionally omitted - index object."
1230	       ::= { tudaV1TSACertEntry 3 }

1232	   tudaV1TSACertData OBJECT-TYPE
1233	       SYNTAX      OCTET STRING (SIZE(0..1024))
1234	       MAX-ACCESS  read-only
1235	       STATUS      current
1236	       DESCRIPTION
1237	           "A fragment of CBOR encoded TSA Certificate data."
1238	       DEFVAL      { "" }
1239	       ::= { tudaV1TSACertEntry 4 }

1241	   --
1242	   --  Sync Token
1243	   --
1244	   tudaV1SyncToken         OBJECT IDENTIFIER ::= { tudaV1MIBObjects 4 }

1246	   tudaV1SyncTokenCycles OBJECT-TYPE
1247	       SYNTAX      Counter32
1248	       MAX-ACCESS  read-only
1249	       STATUS      current
1250	       DESCRIPTION
1251	           "Count of Sync Token update cycles that have
1252	           occurred.

1254	           DEFVAL intentionally omitted - counter object."
1255	       ::= { tudaV1SyncToken 1 }

1257	   tudaV1SyncTokenInstances OBJECT-TYPE
1258	       SYNTAX      Counter32
1259	       MAX-ACCESS  read-only
1260	       STATUS      current
1261	       DESCRIPTION
1262	           "Count of Sync Token instance entries that have
1263	           been recorded (some entries MAY have been pruned).

1265	           DEFVAL intentionally omitted - counter object."
1266	       ::= { tudaV1SyncToken 2 }

1268	   tudaV1SyncTokenTable OBJECT-TYPE
1269	       SYNTAX      SEQUENCE OF TudaV1SyncTokenEntry
1270	       MAX-ACCESS  not-accessible
1271	       STATUS      current
1272	       DESCRIPTION
1273	           "A table of fragments of Sync Token data."
1274	       ::= { tudaV1SyncToken 3 }

1276	   tudaV1SyncTokenEntry OBJECT-TYPE
1277	       SYNTAX      TudaV1SyncTokenEntry
1278	       MAX-ACCESS  not-accessible
1279	       STATUS      current
1280	       DESCRIPTION
1281	           "An entry for one fragment of Sync Token data."
1282	       INDEX       { tudaV1SyncTokenCycleIndex,
1283	                     tudaV1SyncTokenInstanceIndex,
1284	                     tudaV1SyncTokenFragmentIndex }
1285	       ::= { tudaV1SyncTokenTable 1 }

1287	   TudaV1SyncTokenEntry ::=
1288	       SEQUENCE {
1289	           tudaV1SyncTokenCycleIndex       Integer32,
1290	           tudaV1SyncTokenInstanceIndex    Integer32,
1291	           tudaV1SyncTokenFragmentIndex    Integer32,
1292	           tudaV1SyncTokenData             OCTET STRING
1293	       }

1295	   tudaV1SyncTokenCycleIndex OBJECT-TYPE
1296	       SYNTAX      Integer32 (1..2147483647)
1297	       MAX-ACCESS  not-accessible
1298	       STATUS      current
1299	       DESCRIPTION
1300	           "High-order index of this Sync Token fragment.
1301	           Index of a Sync Token update cycle that has
1302	           occurred (bounded by the value of tudaV1SyncTokenCycles).

1304	           DEFVAL intentionally omitted - index object."
1305	       ::= { tudaV1SyncTokenEntry 1 }

1307	   tudaV1SyncTokenInstanceIndex OBJECT-TYPE
1308	       SYNTAX      Integer32 (1..2147483647)
1309	       MAX-ACCESS  not-accessible
1310	       STATUS      current
1311	       DESCRIPTION
1312	           "Middle index of this Sync Token fragment.
1313	           Ordinal of this instance of Sync Token data
1314	           (NOT bounded by the value of tudaV1SyncTokenInstances).

1316	           DEFVAL intentionally omitted - index object."
1317	       ::= { tudaV1SyncTokenEntry 2 }

1319	   tudaV1SyncTokenFragmentIndex OBJECT-TYPE
1320	       SYNTAX      Integer32 (1..2147483647)
1321	       MAX-ACCESS  not-accessible
1322	       STATUS      current
1323	       DESCRIPTION
1324	           "Low-order index of this Sync Token fragment.

1326	           DEFVAL intentionally omitted - index object."
1327	       ::= { tudaV1SyncTokenEntry 3 }

1329	   tudaV1SyncTokenData OBJECT-TYPE
1330	       SYNTAX      OCTET STRING (SIZE(0..1024))
1331	       MAX-ACCESS  read-only
1332	       STATUS      current
1333	       DESCRIPTION
1334	           "A fragment of CBOR encoded Sync Token data."
1335	       DEFVAL      { "" }
1336	       ::= { tudaV1SyncTokenEntry 4 }

1338	   --
1339	   --  Restriction Info
1340	   --
1341	   tudaV1Restrict          OBJECT IDENTIFIER ::= { tudaV1MIBObjects 5 }

1343	   tudaV1RestrictCycles OBJECT-TYPE
1344	       SYNTAX      Counter32
1345	       MAX-ACCESS  read-only
1346	       STATUS      current
1347	       DESCRIPTION
1348	           "Count of Restriction Info update cycles that have
1349	           occurred.

1351	           DEFVAL intentionally omitted - counter object."
1352	       ::= { tudaV1Restrict 1 }

1354	   tudaV1RestrictTable OBJECT-TYPE
1355	       SYNTAX      SEQUENCE OF TudaV1RestrictEntry
1356	       MAX-ACCESS  not-accessible
1357	       STATUS      current
1358	       DESCRIPTION
1359	           "A table of instances of Restriction Info data."
1360	       ::= { tudaV1Restrict 2 }

1362	   tudaV1RestrictEntry OBJECT-TYPE
1363	       SYNTAX      TudaV1RestrictEntry
1364	       MAX-ACCESS  not-accessible
1365	       STATUS      current
1366	       DESCRIPTION
1367	           "An entry for one instance of Restriction Info data."
1368	       INDEX       { tudaV1RestrictCycleIndex }
1369	       ::= { tudaV1RestrictTable 1 }

1371	   TudaV1RestrictEntry ::=
1372	       SEQUENCE {
1373	           tudaV1RestrictCycleIndex        Integer32,
1374	           tudaV1RestrictData              OCTET STRING
1375	       }

1377	   tudaV1RestrictCycleIndex OBJECT-TYPE
1378	       SYNTAX      Integer32 (1..2147483647)
1379	       MAX-ACCESS  not-accessible
1380	       STATUS      current
1381	       DESCRIPTION
1382	           "Index of this Restriction Info entry.
1383	           Index of a Restriction Info update cycle that has
1384	           occurred (bounded by the value of tudaV1RestrictCycles).

1386	           DEFVAL intentionally omitted - index object."
1387	       ::= { tudaV1RestrictEntry 1 }

1389	   tudaV1RestrictData OBJECT-TYPE
1390	       SYNTAX      OCTET STRING (SIZE(0..1024))
1391	       MAX-ACCESS  read-only
1392	       STATUS      current
1393	       DESCRIPTION
1394	           "An instance of CBOR encoded Restriction Info data."
1395	       DEFVAL      { "" }
1396	       ::= { tudaV1RestrictEntry 2 }

1398	   --
1399	   --  Measurement Log
1400	   --
1401	   tudaV1Measure           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 6 }

1403	   tudaV1MeasureCycles OBJECT-TYPE
1404	       SYNTAX      Counter32
1405	       MAX-ACCESS  read-only
1406	       STATUS      current
1407	       DESCRIPTION
1408	           "Count of Measurement Log update cycles that have
1409	           occurred.

1411	           DEFVAL intentionally omitted - counter object."
1412	       ::= { tudaV1Measure 1 }

1414	   tudaV1MeasureInstances OBJECT-TYPE
1415	       SYNTAX      Counter32
1416	       MAX-ACCESS  read-only
1417	       STATUS      current
1418	       DESCRIPTION
1419	           "Count of Measurement Log instance entries that have
1420	           been recorded (some entries MAY have been pruned).

1422	           DEFVAL intentionally omitted - counter object."
1423	       ::= { tudaV1Measure 2 }

1425	   tudaV1MeasureTable OBJECT-TYPE
1426	       SYNTAX      SEQUENCE OF TudaV1MeasureEntry
1427	       MAX-ACCESS  not-accessible
1428	       STATUS      current
1429	       DESCRIPTION
1430	           "A table of instances of Measurement Log data."
1431	       ::= { tudaV1Measure 3 }

1433	   tudaV1MeasureEntry OBJECT-TYPE
1434	       SYNTAX      TudaV1MeasureEntry
1435	       MAX-ACCESS  not-accessible
1436	       STATUS      current
1437	       DESCRIPTION
1438	           "An entry for one instance of Measurement Log data."
1439	       INDEX       { tudaV1MeasureCycleIndex,
1440	                     tudaV1MeasureInstanceIndex }
1441	       ::= { tudaV1MeasureTable 1 }

1443	   TudaV1MeasureEntry ::=
1444	       SEQUENCE {
1445	           tudaV1MeasureCycleIndex         Integer32,
1446	           tudaV1MeasureInstanceIndex      Integer32,
1447	           tudaV1MeasureData               OCTET STRING
1448	       }

1450	   tudaV1MeasureCycleIndex OBJECT-TYPE
1451	       SYNTAX      Integer32 (1..2147483647)
1452	       MAX-ACCESS  not-accessible
1453	       STATUS      current
1454	       DESCRIPTION
1455	           "High-order index of this Measurement Log entry.
1456	           Index of a Measurement Log update cycle that has
1457	           occurred (bounded by the value of tudaV1MeasureCycles).

1459	           DEFVAL intentionally omitted - index object."
1460	       ::= { tudaV1MeasureEntry 1 }

1462	   tudaV1MeasureInstanceIndex OBJECT-TYPE
1463	       SYNTAX      Integer32 (1..2147483647)
1464	       MAX-ACCESS  not-accessible
1465	       STATUS      current
1466	       DESCRIPTION
1467	           "Low-order index of this Measurement Log entry.
1468	           Ordinal of this instance of Measurement Log data
1469	           (NOT bounded by the value of tudaV1MeasureInstances).

1471	           DEFVAL intentionally omitted - index object."
1472	       ::= { tudaV1MeasureEntry 2 }

1474	   tudaV1MeasureData OBJECT-TYPE
1475	       SYNTAX      OCTET STRING (SIZE(0..1024))
1476	       MAX-ACCESS  read-only
1477	       STATUS      current
1478	       DESCRIPTION
1479	           "A instance of CBOR encoded Measurement Log data."
1480	       DEFVAL      { "" }
1481	       ::= { tudaV1MeasureEntry 3 }

1483	   --
1484	   --  Verify Token
1485	   --
1486	   tudaV1VerifyToken       OBJECT IDENTIFIER ::= { tudaV1MIBObjects 7 }

1488	   tudaV1VerifyTokenCycles OBJECT-TYPE
1489	       SYNTAX      Counter32
1490	       MAX-ACCESS  read-only
1491	       STATUS      current
1492	       DESCRIPTION
1493	           "Count of Verify Token update cycles that have
1494	           occurred.

1496	           DEFVAL intentionally omitted - counter object."
1497	       ::= { tudaV1VerifyToken 1 }

1499	   tudaV1VerifyTokenTable OBJECT-TYPE
1500	       SYNTAX      SEQUENCE OF TudaV1VerifyTokenEntry
1501	       MAX-ACCESS  not-accessible
1502	       STATUS      current
1503	       DESCRIPTION
1504	           "A table of instances of Verify Token data."
1505	       ::= { tudaV1VerifyToken 2 }

1507	   tudaV1VerifyTokenEntry OBJECT-TYPE
1508	       SYNTAX      TudaV1VerifyTokenEntry
1509	       MAX-ACCESS  not-accessible
1510	       STATUS      current
1511	       DESCRIPTION
1512	           "An entry for one instance of Verify Token data."
1513	       INDEX       { tudaV1VerifyTokenCycleIndex }
1514	       ::= { tudaV1VerifyTokenTable 1 }

1516	   TudaV1VerifyTokenEntry ::=
1517	       SEQUENCE {
1518	           tudaV1VerifyTokenCycleIndex     Integer32,
1519	           tudaV1VerifyTokenData           OCTET STRING
1520	       }

1522	   tudaV1VerifyTokenCycleIndex OBJECT-TYPE
1523	       SYNTAX      Integer32 (1..2147483647)
1524	       MAX-ACCESS  not-accessible
1525	       STATUS      current
1526	       DESCRIPTION
1527	           "Index of this instance of Verify Token data.
1528	           Index of a Verify Token update cycle that has
1529	           occurred (bounded by the value of tudaV1VerifyTokenCycles).

1531	           DEFVAL intentionally omitted - index object."
1532	       ::= { tudaV1VerifyTokenEntry 1 }

1534	   tudaV1VerifyTokenData OBJECT-TYPE
1535	       SYNTAX      OCTET STRING (SIZE(0..1024))
1536	       MAX-ACCESS  read-only
1537	       STATUS      current
1538	       DESCRIPTION
1539	           "A instance of CBOR encoded Verify Token data."
1540	       DEFVAL      { "" }
1541	       ::= { tudaV1VerifyTokenEntry 2 }

1543	   --
1544	   --  SWID Tag
1545	   --
1546	   tudaV1SWIDTag           OBJECT IDENTIFIER ::= { tudaV1MIBObjects 8 }

1548	   tudaV1SWIDTagCycles OBJECT-TYPE
1549	       SYNTAX      Counter32
1550	       MAX-ACCESS  read-only
1551	       STATUS      current
1552	       DESCRIPTION
1553	           "Count of SWID Tag update cycles that have occurred.

1555	           DEFVAL intentionally omitted - counter object."
1556	       ::= { tudaV1SWIDTag 1 }

1558	   tudaV1SWIDTagTable OBJECT-TYPE
1559	       SYNTAX      SEQUENCE OF TudaV1SWIDTagEntry
1560	       MAX-ACCESS  not-accessible
1561	       STATUS      current
1562	       DESCRIPTION
1563	           "A table of fragments of SWID Tag data."
1564	       ::= { tudaV1SWIDTag 2 }

1566	   tudaV1SWIDTagEntry OBJECT-TYPE
1567	       SYNTAX      TudaV1SWIDTagEntry
1568	       MAX-ACCESS  not-accessible
1569	       STATUS      current
1570	       DESCRIPTION
1571	           "An entry for one fragment of SWID Tag data."
1572	       INDEX       { tudaV1SWIDTagCycleIndex,
1573	                     tudaV1SWIDTagInstanceIndex,
1574	                     tudaV1SWIDTagFragmentIndex }
1575	       ::= { tudaV1SWIDTagTable 1 }

1577	   TudaV1SWIDTagEntry ::=
1578	       SEQUENCE {
1579	           tudaV1SWIDTagCycleIndex         Integer32,
1580	           tudaV1SWIDTagInstanceIndex      Integer32,
1581	           tudaV1SWIDTagFragmentIndex      Integer32,
1582	           tudaV1SWIDTagData               OCTET STRING
1583	       }

1585	   tudaV1SWIDTagCycleIndex OBJECT-TYPE
1586	       SYNTAX      Integer32 (1..2147483647)
1587	       MAX-ACCESS  not-accessible
1588	       STATUS      current
1589	       DESCRIPTION
1590	           "High-order index of this SWID Tag fragment.
1591	           Index of an SWID Tag update cycle that has
1592	           occurred (bounded by the value of tudaV1SWIDTagCycles).

1594	           DEFVAL intentionally omitted - index object."
1595	       ::= { tudaV1SWIDTagEntry 1 }

1597	   tudaV1SWIDTagInstanceIndex OBJECT-TYPE
1598	       SYNTAX      Integer32 (1..2147483647)
1599	       MAX-ACCESS  not-accessible
1600	       STATUS      current
1601	       DESCRIPTION
1602	           "Middle index of this SWID Tag fragment.
1603	           Ordinal of this SWID Tag instance in this update cycle.

1605	           DEFVAL intentionally omitted - index object."
1606	       ::= { tudaV1SWIDTagEntry 2 }

1608	   tudaV1SWIDTagFragmentIndex OBJECT-TYPE
1609	       SYNTAX      Integer32 (1..2147483647)
1610	       MAX-ACCESS  not-accessible
1611	       STATUS      current
1612	       DESCRIPTION
1613	           "Low-order index of this SWID Tag fragment.

1615	           DEFVAL intentionally omitted - index object."
1616	       ::= { tudaV1SWIDTagEntry 3 }

1618	   tudaV1SWIDTagData OBJECT-TYPE
1619	       SYNTAX      OCTET STRING (SIZE(0..1024))
1620	       MAX-ACCESS  read-only
1621	       STATUS      current
1622	       DESCRIPTION
1623	           "A fragment of CBOR encoded SWID Tag data."
1624	       DEFVAL      { "" }
1625	       ::= { tudaV1SWIDTagEntry 4 }

1627	   --
1628	   --  Trap Cycles
1629	   --
1630	   tudaV1TrapV2Cycles NOTIFICATION-TYPE
1631	       OBJECTS {
1632	           tudaV1GeneralCycles,
1633	           tudaV1AIKCertCycles,
1634	           tudaV1TSACertCycles,
1635	           tudaV1SyncTokenCycles,
1636	           tudaV1SyncTokenInstances,
1637	           tudaV1RestrictCycles,
1638	           tudaV1MeasureCycles,
1639	           tudaV1MeasureInstances,
1640	           tudaV1VerifyTokenCycles,
1641	           tudaV1SWIDTagCycles
1642	       }
1643	       STATUS  current
1644	       DESCRIPTION
1645	           "This trap is sent when the value of any cycle or instance
1646	           counter changes (i.e., one or more tables are updated).

1648	           Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
1649	           always included in SNMPv2 traps, per RFC 3416."
1650	       ::= { tudaV1MIBNotifications 1 }

1652	   --
1653	   --  Conformance Information
1654	   --
1655	   tudaV1Compliances           OBJECT IDENTIFIER
1656	       ::= { tudaV1MIBConformance 1 }

1658	   tudaV1ObjectGroups          OBJECT IDENTIFIER
1659	       ::= { tudaV1MIBConformance 2 }

1661	   tudaV1NotificationGroups    OBJECT IDENTIFIER
1662	       ::= { tudaV1MIBConformance 3 }

1664	   --
1665	   --  Compliance Statements
1666	   --
1667	   tudaV1BasicCompliance MODULE-COMPLIANCE
1668	       STATUS  current
1669	       DESCRIPTION
1670	           "An implementation that complies with this module MUST
1671	           implement all of the objects defined in the mandatory
1672	           group tudaV1BasicGroup."
1673	       MODULE  -- this module
1674	       MANDATORY-GROUPS { tudaV1BasicGroup }

1676	       GROUP   tudaV1OptionalGroup
1677	       DESCRIPTION
1678	           "The optional TUDA MIB objects.
1679	           An implementation MAY implement this group."

1681	       GROUP   tudaV1TrapGroup
1682	       DESCRIPTION
1683	           "The TUDA MIB traps.
1684	           An implementation SHOULD implement this group."
1685	       ::= { tudaV1Compliances 1 }

1687	   --
1688	   --  Compliance Groups
1689	   --
1690	   tudaV1BasicGroup OBJECT-GROUP
1691	       OBJECTS {
1692	           tudaV1GeneralCycles,
1693	           tudaV1GeneralVersionInfo,
1694	           tudaV1SyncTokenCycles,
1695	           tudaV1SyncTokenInstances,
1696	           tudaV1SyncTokenData,
1697	           tudaV1RestrictCycles,
1698	           tudaV1RestrictData,
1699	           tudaV1VerifyTokenCycles,
1700	           tudaV1VerifyTokenData
1701	       }
1702	       STATUS  current
1703	       DESCRIPTION
1704	           "The basic mandatory TUDA MIB objects."
1705	       ::= { tudaV1ObjectGroups 1 }

1707	   tudaV1OptionalGroup OBJECT-GROUP
1708	       OBJECTS {
1709	           tudaV1AIKCertCycles,
1710	           tudaV1AIKCertData,
1711	           tudaV1TSACertCycles,
1712	           tudaV1TSACertData,
1713	           tudaV1MeasureCycles,
1714	           tudaV1MeasureInstances,
1715	           tudaV1MeasureData,
1716	           tudaV1SWIDTagCycles,
1717	           tudaV1SWIDTagData
1718	       }
1719	       STATUS  current
1720	       DESCRIPTION
1721	           "The optional TUDA MIB objects."
1722	       ::= { tudaV1ObjectGroups 2 }

1724	   tudaV1TrapGroup NOTIFICATION-GROUP
1725	       NOTIFICATIONS { tudaV1TrapV2Cycles }
1726	       STATUS      current
1727	       DESCRIPTION
1728	           "The recommended TUDA MIB traps - notifications."
1729	       ::= { tudaV1NotificationGroups 1 }

1731	   END
1732	   <CODE ENDS>

1734	Appendix C.  YANG Realization

1736	<CODE BEGINS>
1737	/*
1738	 * This module has been generated by smidump 0.4.8:
1739	 *
1740	 *      smidump -f yang TUDA-V1-ATTESTATION-MIB
1741	 *
1742	 * Do not edit. Edit the source file instead!
1743	 */

1745	module TUDA-V1-ATTESTATION-MIB {

1747	  /*** NAMESPACE / PREFIX DEFINITION ***/

1749	  namespace "urn:ietf:params:xml:ns:yang:smiv2:TUDA-V1-ATTESTATION-MIB";
1750	  prefix "tuda-v1";

1752	  /*** LINKAGE (IMPORTS / INCLUDES) ***/

1754	  import SNMP-FRAMEWORK-MIB { prefix "snmp-framework"; }
1755	  import yang-types         { prefix "yang"; }

1757	  /*** META INFORMATION ***/

1759	  organization
1760	   "Fraunhofer SIT";

1762	  contact
1763	   "Andreas Fuchs
1764	    Fraunhofer Institute for Secure Information Technology
1765	    Email: andreas.fuchs@sit.fraunhofer.de

1767	    Henk Birkholz
1768	    Fraunhofer Institute for Secure Information Technology
1769	    Email: henk.birkholz@sit.fraunhofer.de

1771	    Ira E McDonald
1772	    High North Inc
1773	    Email: blueroofmusic@gmail.com

1775	    Carsten Bormann
1776	    Universitaet Bremen TZI
1777	    Email: cabo@tzi.org";

1779	  description
1780	   "The MIB module for monitoring of time-based unidirectional
1781	    attestation information from a network endpoint system,
1782	    based on the Trusted Computing Group TPM 1.2 definition.

1784	    Copyright (C) High North Inc (2017).";

1786	  revision "2017-01-09" {
1787	    description
1788	     "Fourth version, published as draft-birkholz-tuda-03.";
1789	  }
1790	  revision "2016-07-08" {
1791	    description
1792	     "Third version, published as draft-birkholz-tuda-02.";
1793	  }
1794	  revision "2016-03-21" {
1795	    description
1796	     "Second version, published as draft-birkholz-tuda-01.";
1797	  }
1798	  revision "2015-10-18" {
1799	    description
1800	     "Initial version, published as draft-birkholz-tuda-00.";
1801	  }

1803	  container tudaV1General {

1805	    leaf tudaV1GeneralCycles {
1806	      type yang:counter32;
1807	      config false;
1808	      description
1809	       "Count of TUDA update cycles that have occurred, i.e.,
1810	        sum of all the individual group cycle counters.

1812	        DEFVAL intentionally omitted - counter object.";
1813	    }

1815	    leaf tudaV1GeneralVersionInfo {
1816	      type snmp-framework:SnmpAdminString {
1817	        length "0..255";
1818	      }
1819	      config false;
1820	      description
1821	       "Version information for TUDA MIB, e.g., specific release
1822	        version of TPM 1.2 base specification and release version
1823	        of TPM 1.2 errata specification and manufacturer and model
1824	        TPM module itself.";
1825	    }
1826	  }

1828	  container tudaV1AIKCert {

1830	    leaf tudaV1AIKCertCycles {
1831	      type yang:counter32;
1832	      config false;
1833	      description
1834	       "Count of AIK Certificate chain update cycles that have
1835	        occurred.

1837	        DEFVAL intentionally omitted - counter object.";
1838	    }

1840	    /* XXX table comments here XXX */

1842	    list tudaV1AIKCertEntry {

1844	      key "tudaV1AIKCertCycleIndex tudaV1AIKCertInstanceIndex
1845	           tudaV1AIKCertFragmentIndex";
1846	        config false;
1847	      description
1848	       "An entry for one fragment of AIK Certificate data.";

1850	      leaf tudaV1AIKCertCycleIndex {
1851	        type int32 {
1852	          range "1..2147483647";
1853	        }
1854	        config false;
1855	        description
1856	         "High-order index of this AIK Certificate fragment.
1857	          Index of an AIK Certificate chain update cycle that has
1858	          occurred (bounded by the value of tudaV1AIKCertCycles).

1860	          DEFVAL intentionally omitted - index object.";
1861	      }

1863	      leaf tudaV1AIKCertInstanceIndex {
1864	        type int32 {
1865	          range "1..2147483647";
1866	        }
1867	        config false;
1868	        description
1869	         "Middle index of this AIK Certificate fragment.
1870	          Ordinal of this AIK Certificate in this chain, where the AIK
1871	          Certificate itself has an ordinal of '1' and higher ordinals
1872	          go *up* the certificate chain to the Root CA.

1874	          DEFVAL intentionally omitted - index object.";
1875	      }

1877	      leaf tudaV1AIKCertFragmentIndex {
1878	        type int32 {
1879	          range "1..2147483647";
1880	        }
1881	        config false;
1882	        description
1883	         "Low-order index of this AIK Certificate fragment.

1885	          DEFVAL intentionally omitted - index object.";
1886	      }

1888	      leaf tudaV1AIKCertData {
1889	        type binary {
1890	          length "0..1024";
1891	        }
1892	        config false;
1893	        description
1894	         "A fragment of CBOR encoded AIK Certificate data.";
1895	      }
1896	    }
1897	  }

1899	  container tudaV1TSACert {

1901	    leaf tudaV1TSACertCycles {
1902	      type yang:counter32;
1903	      config false;
1904	      description
1905	       "Count of TSA Certificate chain update cycles that have
1906	        occurred.

1908	        DEFVAL intentionally omitted - counter object.";
1909	    }

1911	    /* XXX table comments here XXX */

1913	    list tudaV1TSACertEntry {

1915	      key "tudaV1TSACertCycleIndex tudaV1TSACertInstanceIndex
1916	           tudaV1TSACertFragmentIndex";
1917	      config false;
1918	      description
1919	       "An entry for one fragment of TSA Certificate data.";

1921	      leaf tudaV1TSACertCycleIndex {
1922	        type int32 {
1923	          range "1..2147483647";
1924	        }
1925	        config false;
1926	        description
1927	         "High-order index of this TSA Certificate fragment.
1928	          Index of a TSA Certificate chain update cycle that has
1929	          occurred (bounded by the value of tudaV1TSACertCycles).

1931	          DEFVAL intentionally omitted - index object.";
1932	      }

1934	      leaf tudaV1TSACertInstanceIndex {
1935	        type int32 {
1936	          range "1..2147483647";
1937	        }
1938	        config false;
1939	        description
1940	         "Middle index of this TSA Certificate fragment.
1941	          Ordinal of this TSA Certificate in this chain, where the TSA
1942	          Certificate itself has an ordinal of '1' and higher ordinals
1943	          go *up* the certificate chain to the Root CA.

1945	          DEFVAL intentionally omitted - index object.";
1946	      }

1948	      leaf tudaV1TSACertFragmentIndex {
1949	        type int32 {
1950	          range "1..2147483647";
1951	        }
1952	        config false;
1953	        description
1954	         "Low-order index of this TSA Certificate fragment.

1956	          DEFVAL intentionally omitted - index object.";
1957	      }

1959	      leaf tudaV1TSACertData {
1960	        type binary {
1961	          length "0..1024";
1962	        }
1963	        config false;
1964	        description
1965	         "A fragment of CBOR encoded TSA Certificate data.";
1966	      }
1967	    }
1968	  }

1970	  container tudaV1SyncToken {

1972	    leaf tudaV1SyncTokenCycles {
1973	      type yang:counter32;
1974	      config false;
1975	      description
1976	       "Count of Sync Token update cycles that have
1977	        occurred.

1979	        DEFVAL intentionally omitted - counter object.";
1980	    }

1982	    leaf tudaV1SyncTokenInstances {
1983	      type yang:counter32;
1984	      config false;
1985	      description
1986	       "Count of Sync Token instance entries that have
1987	        been recorded (some entries MAY have been pruned).

1989	        DEFVAL intentionally omitted - counter object.";
1990	    }

1992	    /* XXX table comments here XXX */

1994	    list tudaV1SyncTokenEntry {

1996	      key "tudaV1SyncTokenCycleIndex
1997	           tudaV1SyncTokenInstanceIndex
1998	           tudaV1SyncTokenFragmentIndex";
1999	      config false;
2000	      description
2001	       "An entry for one fragment of Sync Token data.";

2003	      leaf tudaV1SyncTokenCycleIndex {
2004	        type int32 {
2005	          range "1..2147483647";
2006	        }
2007	        config false;
2008	        description
2009	         "High-order index of this Sync Token fragment.
2010	          Index of a Sync Token update cycle that has
2011	          occurred (bounded by the value of tudaV1SyncTokenCycles).

2013	          DEFVAL intentionally omitted - index object.";
2014	      }

2016	      leaf tudaV1SyncTokenInstanceIndex {
2017	        type int32 {
2018	          range "1..2147483647";
2019	        }
2020	        config false;
2021	        description
2022	         "Middle index of this Sync Token fragment.
2023	          Ordinal of this instance of Sync Token data
2024	          (NOT bounded by the value of tudaV1SyncTokenInstances).

2026	          DEFVAL intentionally omitted - index object.";
2027	      }

2029	      leaf tudaV1SyncTokenFragmentIndex {
2030	        type int32 {
2031	          range "1..2147483647";
2032	        }
2033	        config false;
2034	        description
2035	         "Low-order index of this Sync Token fragment.

2037	          DEFVAL intentionally omitted - index object.";
2038	      }

2040	      leaf tudaV1SyncTokenData {
2041	        type binary {
2042	          length "0..1024";
2043	        }
2044	        config false;
2045	        description
2046	         "A fragment of CBOR encoded Sync Token data.";
2047	      }
2048	    }
2049	  }

2051	  container tudaV1Restrict {

2053	    leaf tudaV1RestrictCycles {
2054	      type yang:counter32;
2055	      config false;
2056	      description
2057	       "Count of Restriction Info update cycles that have
2058	        occurred.

2060	        DEFVAL intentionally omitted - counter object.";
2061	    }

2063	    /* XXX table comments here XXX */

2065	    list tudaV1RestrictEntry {

2067	      key "tudaV1RestrictCycleIndex";
2068	      config false;
2069	      description
2070	       "An entry for one instance of Restriction Info data.";

2072	      leaf tudaV1RestrictCycleIndex {
2073	        type int32 {
2074	          range "1..2147483647";
2075	        }
2076	        config false;
2077	        description
2078	         "Index of this Restriction Info entry.
2079	          Index of a Restriction Info update cycle that has
2080	          occurred (bounded by the value of tudaV1RestrictCycles).

2082	          DEFVAL intentionally omitted - index object.";
2083	      }

2085	      leaf tudaV1RestrictData {
2086	        type binary {
2087	          length "0..1024";
2088	        }
2089	        config false;
2090	        description
2091	         "An instance of CBOR encoded Restriction Info data.";
2092	      }
2093	    }
2094	  }

2096	  container tudaV1Measure {

2098	    leaf tudaV1MeasureCycles {
2099	      type yang:counter32;
2100	      config false;
2101	      description
2102	       "Count of Measurement Log update cycles that have
2103	        occurred.

2105	        DEFVAL intentionally omitted - counter object.";
2106	    }

2108	    leaf tudaV1MeasureInstances {
2109	      type yang:counter32;
2110	      config false;
2111	      description
2112	       "Count of Measurement Log instance entries that have
2113	        been recorded (some entries MAY have been pruned).

2115	        DEFVAL intentionally omitted - counter object.";
2116	    }

2118	    /* XXX table comments here XXX */

2120	    list tudaV1MeasureEntry {

2122	      key "tudaV1MeasureCycleIndex tudaV1MeasureInstanceIndex";
2123	      config false;
2124	      description
2125	       "An entry for one instance of Measurement Log data.";

2127	      leaf tudaV1MeasureCycleIndex {
2128	        type int32 {
2129	          range "1..2147483647";
2130	        }
2131	        config false;
2132	        description
2133	         "High-order index of this Measurement Log entry.
2134	          Index of a Measurement Log update cycle that has
2135	          occurred (bounded by the value of tudaV1MeasureCycles).

2137	          DEFVAL intentionally omitted - index object.";
2138	      }

2140	      leaf tudaV1MeasureInstanceIndex {
2141	        type int32 {
2142	          range "1..2147483647";
2143	        }
2144	        config false;
2145	        description
2146	         "Low-order index of this Measurement Log entry.
2147	          Ordinal of this instance of Measurement Log data
2148	          (NOT bounded by the value of tudaV1MeasureInstances).

2150	          DEFVAL intentionally omitted - index object.";
2151	      }

2153	      leaf tudaV1MeasureData {
2154	        type binary {
2155	          length "0..1024";
2156	        }
2157	        config false;
2158	        description
2159	         "A instance of CBOR encoded Measurement Log data.";
2160	      }
2161	    }
2162	  }

2164	  container tudaV1VerifyToken {

2166	    leaf tudaV1VerifyTokenCycles {
2167	      type yang:counter32;
2168	      config false;
2169	      description
2170	       "Count of Verify Token update cycles that have
2171	        occurred.

2173	        DEFVAL intentionally omitted - counter object.";
2174	    }

2176	    /* XXX table comments here XXX */

2178	    list tudaV1VerifyTokenEntry {

2180	      key "tudaV1VerifyTokenCycleIndex";
2181	      config false;
2182	      description
2183	       "An entry for one instance of Verify Token data.";

2185	      leaf tudaV1VerifyTokenCycleIndex {
2186	        type int32 {
2187	          range "1..2147483647";
2188	        }
2189	        config false;
2190	        description
2191	         "Index of this instance of Verify Token data.
2192	          Index of a Verify Token update cycle that has
2193	          occurred (bounded by the value of tudaV1VerifyTokenCycles).

2195	          DEFVAL intentionally omitted - index object.";
2196	      }

2198	      leaf tudaV1VerifyTokenData {
2199	        type binary {
2200	          length "0..1024";
2201	        }
2202	        config false;
2203	        description
2204	         "A instance of CBOR encoded Verify Token data.";
2205	      }
2206	    }
2207	  }

2209	  container tudaV1SWIDTag {

2211	    leaf tudaV1SWIDTagCycles {
2212	      type yang:counter32;
2213	      config false;
2214	      description
2215	       "Count of SWID Tag update cycles that have occurred.

2217	        DEFVAL intentionally omitted - counter object.";
2218	    }

2220	    /* XXX table comments here XXX */

2222	    list tudaV1SWIDTagEntry {

2224	      key "tudaV1SWIDTagCycleIndex tudaV1SWIDTagInstanceIndex
2225	           tudaV1SWIDTagFragmentIndex";
2226	      config false;
2227	      description
2228	       "An entry for one fragment of SWID Tag data.";

2230	      leaf tudaV1SWIDTagCycleIndex {
2231	        type int32 {
2232	          range "1..2147483647";
2233	        }
2234	        config false;
2235	        description
2236	         "High-order index of this SWID Tag fragment.
2237	          Index of an SWID Tag update cycle that has
2238	          occurred (bounded by the value of tudaV1SWIDTagCycles).

2240	          DEFVAL intentionally omitted - index object.";
2241	      }

2243	      leaf tudaV1SWIDTagInstanceIndex {
2244	        type int32 {
2245	          range "1..2147483647";
2246	        }
2247	        config false;
2248	        description
2249	         "Middle index of this SWID Tag fragment.
2250	          Ordinal of this SWID Tag instance in this update cycle.

2252	          DEFVAL intentionally omitted - index object.";
2253	      }

2255	      leaf tudaV1SWIDTagFragmentIndex {
2256	        type int32 {
2257	          range "1..2147483647";
2258	        }
2259	        config false;
2260	        description
2261	         "Low-order index of this SWID Tag fragment.

2263	          DEFVAL intentionally omitted - index object.";
2264	      }

2266	      leaf tudaV1SWIDTagData {
2267	        type binary {
2268	          length "0..1024";
2269	        }
2270	        config false;
2271	        description
2272	         "A fragment of CBOR encoded SWID Tag data.";
2273	      }
2274	    }
2275	  }

2277	  notification tudaV1TrapV2Cycles {
2278	    description
2279	     "This trap is sent when the value of any cycle or instance
2280	      counter changes (i.e., one or more tables are updated).

2282	      Note:  The value of sysUpTime in IETF MIB-II (RFC 1213) is
2283	      always included in SNMPv2 traps, per RFC 3416.";

2285	    container tudaV1TrapV2Cycles-tudaV1GeneralCycles {
2286	      leaf tudaV1GeneralCycles {
2287	        type yang:counter32;
2288	        description
2289	         "Count of TUDA update cycles that have occurred, i.e.,
2290	          sum of all the individual group cycle counters.

2292	          DEFVAL intentionally omitted - counter object.";
2293	      }
2294	    }

2296	    container tudaV1TrapV2Cycles-tudaV1AIKCertCycles {
2297	      leaf tudaV1AIKCertCycles {
2298	        type yang:counter32;
2299	        description
2300	         "Count of AIK Certificate chain update cycles that have
2301	          occurred.

2303	          DEFVAL intentionally omitted - counter object.";
2304	      }
2305	    }

2307	    container tudaV1TrapV2Cycles-tudaV1TSACertCycles {
2308	      leaf tudaV1TSACertCycles {
2309	        type yang:counter32;
2310	        description
2311	         "Count of TSA Certificate chain update cycles that have
2312	          occurred.

2314	          DEFVAL intentionally omitted - counter object.";
2315	      }
2316	    }

2318	    container tudaV1TrapV2Cycles-tudaV1SyncTokenCycles {
2319	      leaf tudaV1SyncTokenCycles {
2320	        type yang:counter32;
2321	        description
2322	         "Count of Sync Token update cycles that have
2323	          occurred.

2325	          DEFVAL intentionally omitted - counter object.";
2326	      }

2328	    }

2330	    container tudaV1TrapV2Cycles-tudaV1SyncTokenInstances {
2331	      leaf tudaV1SyncTokenInstances {
2332	        type yang:counter32;
2333	        description
2334	         "Count of Sync Token instance entries that have
2335	          been recorded (some entries MAY have been pruned).

2337	          DEFVAL intentionally omitted - counter object.";
2338	      }
2339	    }

2341	    container tudaV1TrapV2Cycles-tudaV1RestrictCycles {
2342	      leaf tudaV1RestrictCycles {
2343	        type yang:counter32;
2344	        description
2345	         "Count of Restriction Info update cycles that have
2346	          occurred.

2348	          DEFVAL intentionally omitted - counter object.";
2349	      }
2350	    }

2352	    container tudaV1TrapV2Cycles-tudaV1MeasureCycles {
2353	      leaf tudaV1MeasureCycles {
2354	        type yang:counter32;
2355	        description
2356	         "Count of Measurement Log update cycles that have
2357	          occurred.

2359	          DEFVAL intentionally omitted - counter object.";
2360	      }
2361	    }

2363	    container tudaV1TrapV2Cycles-tudaV1MeasureInstances {
2364	      leaf tudaV1MeasureInstances {
2365	        type yang:counter32;
2366	        description
2367	         "Count of Measurement Log instance entries that have
2368	          been recorded (some entries MAY have been pruned).

2370	          DEFVAL intentionally omitted - counter object.";
2371	      }
2372	    }

2374	    container tudaV1TrapV2Cycles-tudaV1VerifyTokenCycles {
2375	      leaf tudaV1VerifyTokenCycles {
2376	        type yang:counter32;
2377	        description
2378	         "Count of Verify Token update cycles that have
2379	          occurred.

2381	          DEFVAL intentionally omitted - counter object.";
2382	      }
2383	    }

2385	    container tudaV1TrapV2Cycles-tudaV1SWIDTagCycles {
2386	      leaf tudaV1SWIDTagCycles {
2387	        type yang:counter32;
2388	        description
2389	         "Count of SWID Tag update cycles that have occurred.

2391	          DEFVAL intentionally omitted - counter object.";
2392	      }
2393	    }

2395	  }
2396	} /* end of module TUDA-V1-ATTESTATION-MIB */
2397	<CODE ENDS>

2399	Appendix D.  Realization with TPM 1.2 functions

2401	D.1.  TPM Functions

2403	   The following TPM structures, resources and functions are used within
2404	   this approach.  They are based upon the TPM 1.2 specification
2405	   [TPM12].

2407	D.1.1.  Tick-Session and Tick-Stamp

2409	   On every boot, the TPM initializes a new Tick-Session.  Such a tick-
2410	   session consists of a nonce that is randomly created upon each boot
2411	   to identify the current boot-cycle - the phase between boot-time of
2412	   the device and shutdown or power-off - and prevent replaying of old
2413	   tick-session values.  The TPM uses its internal entropy source that
2414	   guarantees virtually no collisions of the nonce values between two of
2415	   such boot cycles.

2417	   It further includes an internal timer that is being initialize to
2418	   Zero on each reboot.  From this point on, the TPM increments this
2419	   timer continuously based upon its internal secure clocking
2420	   information until the device is powered down or set to sleep.  By its
2421	   hardware design, the TPM will detect attacks on any of those
2422	   properties.

2424	   The TPM offers the function TPM_TickStampBlob, which allows the TPM
2425	   to create a signature over the current tick-session and two
2426	   externally provided input values.  These input values are designed to
2427	   serve as a nonce and as payload data to be included in a
2428	   TickStampBlob: TickstampBlob := sig(TPM-key, currentTicks || nonce ||
2429	   externalData).

2431	   As a result, one is able to proof that at a certain point in time
2432	   (relative to the tick-session) after the provisioning of a certain
2433	   nonce, some certain externalData was known and provided to the TPM.
2434	   If an approach however requires no input values or only one input
2435	   value (such as the use in this document) the input values can be set
2436	   to well-known value.  The convention used within TCG specifications
2437	   and within this document is to use twenty bytes of zero
2438	   h'0000000000000000000000000000000000000000' as well-known value.

2440	D.1.2.  Platform Configuration Registers (PCRs)

2442	   The TPM is a secure cryptoprocessor that provides the ability to
2443	   store measurements and metrics about an endpoint's configuration and
2444	   state in a secure, tamper-proof environment.  Each of these security
2445	   relevant metrics can be stored in a volatile Platform Configuration
2446	   Register (PCR) inside the TPM.  These measurements can be conducted
2447	   at any point in time, ranging from an initial BIOS boot-up sequence
2448	   to measurements taken after hundreds of hours of uptime.

2450	   The initial measurement is triggered by the Platforms so-called pre-
2451	   BIOS or ROM-code.  It will conduct a measurement of the first
2452	   loadable pieces of code; i.e.\ the BIOS.  The BIOS will in turn
2453	   measure its Option ROMs and the BootLoader, which measures the OS-
2454	   Kernel, which in turn measures its applications.  This describes a
2455	   so-called measurement chain.  This typically gets recorded in a so-
2456	   called measurement log, such that the values of the PCRs can be
2457	   reconstructed from the individual measurements for validation.

2459	   Via its PCRs, a TPM provides a Root of Trust that can, for example,
2460	   support secure boot or remote attestation.  The attestation of an
2461	   endpoint's identity or security posture is based on the content of an
2462	   TPM's PCRs (platform integrity measurements).

2464	D.1.3.  PCR restricted Keys

2466	   Every key inside the TPM can be restricted in such a way that it can
2467	   only be used if a certain set of PCRs are in a predetermined state.
2468	   For key creation the desired state for PCRs are defined via the
2469	   PCRInfo field inside the keyInfo parameter.  Whenever an operation
2470	   using this key is performed, the TPM first checks whether the PCRs
2471	   are in the correct state.  Otherwise the operation is denied by the
2472	   TPM.

2474	D.1.4.  CertifyInfo

2476	   The TPM offers a command to certify the properties of a key by means
2477	   of a signature using another key.  This includes especially the
2478	   keyInfo which in turn includes the PCRInfo information used during
2479	   key creation.  This way, a third party can be assured about the fact
2480	   that a key is only usable if the PCRs are in a certain state.

2482	D.2.  Protocol and Procedure

2484	D.2.1.  AIK and AIK Certificate

2486	   Attestations are based upon a cryptographic signature performed by
2487	   the TPM using a so-called Attestation Identity Key (AIK).  An AIK has
2488	   the properties that it cannot be exported from a TPM and is used for
2489	   attestations.  Trust in the AIK is established by an X.509
2490	   Certificate emitted by a Certificate Authority.  The AIK certificate
2491	   is either provided directly or via a so-called PrivacyCA
2492	   [AIK-Enrollment].

2494	   This element consists of the AIK certificate that includes the AIK's
2495	   public key used during verification as well as the certificate chain
2496	   up to the Root CA for validation of the AIK certificate itself.

2498	   TUDA-Cert = [AIK-Cert, TSA-Cert]; maybe split into two for SNMP
2499	   AIK-Cert = Cert
2500	   TSA-Cert = Cert

2502	                    Figure 2: TUDA-Cert element in CDDL

2504	   The TSA-Cert is a standard certificate of the TSA.

2506	   The AIK-Cert may be provisioned in a secure environment using
2507	   standard means or it may follow the PrivacyCA protocols.  Figure 3
2508	   gives a rough sketch of this protocol.  See [AIK-Enrollment] for more
2509	   information.

2511	   The X.509 Certificate is built from the AIK public key and the
2512	   corresponding PKCS #7 certificate chain, as shown in Figure 3.

2514	   Required TPM functions:

2516	   | create_AIK_Cert(...) = {
2517	   |   AIK = TPM_MakeIdentity()
2518	   |   IdReq = CollateIdentityRequest(AIK,EK)
2519	   |   IdRes = Call(AIK-CA, IdReq)
2520	   |   AIK-Cert = TPM_ActivateIdentity(AIK, IdRes)
2521	   | }
2522	   |
2523	   | /* Alternative */
2524	   |
2525	   | create_AIK_Cert(...) = {
2526	   |   AIK = TPM_CreateWrapKey(Identity)
2527	   |   AIK-Cert = Call(AIK-CA, AIK.pubkey)
2528	   | }

2530	                 Figure 3: Creating the TUDA-Cert element

2532	D.2.2.  Synchronization Token

2534	   The reference for Attestations are the Tick-Sessions of the TPM.  In
2535	   order to put Attestations into relation with a Real Time Clock (RTC),
2536	   it is necessary to provide a cryptographic synchronization between
2537	   the tick session and the RTC.  To do so, a synchronization protocol
2538	   is run with a Time Stamp Authority (TSA) that consists of three
2539	   steps:

2541	   o  The TPM creates a TickStampBlob using the AIK

2543	   o  This TickstampBlob is used as nonce to the Timestamp of the TSA

2545	   o  Another TickStampBlob with the AIK is created using the TSA's
2546	      Timestamp a nonce

2548	   The first TickStampBlob is called "left" and the second "right" in a
2549	   reference to their position on a time-axis.

2551	   These three elements, with the TSA's certificate factored out, form
2552	   the synchronization token
2553	   TUDA-Synctoken = [
2554	     left: TickStampBlob-Output,
2555	     timestamp: TimeStampToken,
2556	     right: TickStampBlob-Output,
2557	   ]

2559	   TimeStampToken = bytes ; RFC 3161

2561	   TickStampBlob-Output = [
2562	     currentTicks: TPM-CURRENT-TICKS,
2563	     sig: bytes,
2564	   ]

2566	   TPM-CURRENT-TICKS = [
2567	     currentTicks: uint
2568	     ? (
2569	       tickRate: uint
2570	       tickNonce: TPM-NONCE
2571	     )
2572	   ]
2573	   ; Note that TickStampBlob-Output "right" can omit the values for
2574	   ;   tickRate and tickNonce since they are the same as in "left"

2576	   TPM-NONCE = bytes .size 20

2578	                    Figure 4: TUDA-Sync element in CDDL

2580	   Required TPM functions:

2582	   | dummyDigest = h'0000000000000000000000000000000000000000'
2583	   | dummyNonce = dummyDigest
2584	   |
2585	   | create_sync_token(AIKHandle, TSA) = {
2586	   |   ts_left = TPM_TickStampBlob(
2587	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
2588	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
2589	   |       digestToStamp = dummyDigest  /*TPM_DIGEST*/)
2590	   |
2591	   |   ts = TSA_Timestamp(TSA, nonce = hash(ts_left))
2592	   |
2593	   |   ts_right = TPM_TickStampBlob(
2594	   |       keyHandle = AIK_Handle,      /*TPM_KEY_HANDLE*/
2595	   |       antiReplay = dummyNonce,     /*TPM_NONCE*/
2596	   |       digestToStamp = hash(ts))    /*TPM_DIGEST*/
2597	   |
2598	   |   TUDA-SyncToken = [[ts_left.ticks, ts_left.sig], ts,
2599	   |                     [ts_right.ticks.currentTicks, ts_right.sig]]
2600	   |   /* Note: skip the nonce and tickRate field for ts_right.ticks */
2601	   | }

2603	                 Figure 5: Creating the Sync-Token element

2605	D.2.3.  RestrictionInfo

2607	   The attestation relies on the capability of the TPM to operate on
2608	   restricted keys.  Whenever the PCR values for the machine to be
2609	   attested change, a new restricted key is created that can only be
2610	   operated as long as the PCRs remain in their current state.

2612	   In order to prove to the Verifier that this restricted temporary key
2613	   actually has these properties and also to provide the PCR value that
2614	   it is restricted, the TPM command TPM_CertifyInfo is used.  It
2615	   creates a signed certificate using the AIK about the newly created
2616	   restricted key.

2618	   This token is formed from the list of:

2620	   o  PCR list,

2622	   o  the newly created restricted public key, and

2624	   o  the certificate.

2626	 TUDA-RestrictionInfo = [Composite,
2627	                         restrictedKey_Pub: Pubkey,
2628	                         CertifyInfo]

2630	 PCRSelection = bytes .size (2..4) ; used as bit string

2632	 Composite = [
2633	   bitmask: PCRSelection,
2634	   values: [*PCR-Hash],
2635	 ]

2637	 Pubkey = bytes ; may be extended to COSE pubkeys

2639	 CertifyInfo = [
2640	   TPM-CERTIFY-INFO,
2641	   sig: bytes,
2642	 ]

2644	 TPM-CERTIFY-INFO = [
2645	   ; we don't encode TPM-STRUCT-VER:
2646	   ; these are 4 bytes always equal to h'01010000'
2647	   keyUsage: uint, ; 4byte? 2byte?
2648	   keyFlags: bytes .size 4, ; 4byte
2649	   authDataUsage: uint, ; 1byte (enum)
2650	   algorithmParms: TPM-KEY-PARMS,
2651	   pubkeyDigest: Hash,
2652	   ; we don't encode TPM-NONCE data, which is 20 bytes, all zero
2653	   parentPCRStatus: bool,
2654	   ; no need to encode pcrinfosize
2655	   pcrinfo: TPM-PCR-INFO,        ; we have exactly one
2656	 ]

2658	 TPM-PCR-INFO = [
2659	     pcrSelection: PCRSelection; /* TPM_PCR_SELECTION */
2660	     digestAtRelease: PCR-Hash;  /* TPM_COMPOSITE_HASH */
2661	     digestAtCreation: PCR-Hash; /* TPM_COMPOSITE_HASH */
2662	 ]

2664	 TPM-KEY-PARMS = [
2665	   ; algorithmID: uint, ; <= 4 bytes -- not encoded, constant for TPM1.2
2666	   encScheme: uint, ; <= 2 bytes
2667	   sigScheme: uint, ; <= 2 bytes
2668	   parms: TPM-RSA-KEY-PARMS,
2669	 ]

2671	 TPM-RSA-KEY-PARMS = [
2672	   ; "size of the RSA key in bits":
2673	   keyLength: uint
2674	   ; "number of prime factors used by this RSA key":
2675	   numPrimes: uint
2676	   ; "This SHALL be the size of the exponent":
2677	   exponentSize: null / uint / biguint
2678	   ; "If the key is using the default exponent then the exponentSize
2679	   ; MUST be 0" -> we represent this case as null
2680	 ]

2682	                    Figure 6: TUDA-Key element in CDDL

2684	   Required TPM functions:

2686	   | dummyDigest = h'0000000000000000000000000000000000000000'
2687	   | dummyNonce = dummyDigest
2688	   |
2689	   | create_Composite
2690	   |
2691	   | create_restrictedKey_Pub(pcrsel) = {
2692	   |   PCRInfo = {pcrSelection = pcrsel,
2693	   |              digestAtRelease = hash(currentValues(pcrSelection))
2694	   |              digestAtCreation = dummyDigest}
2695	   |   / * PCRInfo is a TPM_PCR_INFO and thus also a TPM_KEY */
2696	   |
2697	   |   wk = TPM_CreateWrapKey(keyInfo = PCRInfo)
2698	   |   wk.keyInfo.pubKey
2699	   | }
2700	   |
2701	   | create_TPM-Certify-Info = {
2702	   |   CertifyInfo = TPM_CertifyKey(
2703	   |       certHandle = AIK,          /* TPM_KEY_HANDLE */
2704	   |       keyHandle = wk,            /* TPM_KEY_HANDLE */
2705	   |       antiReply = dummyNonce)    /* TPM_NONCE */
2706	   |
2707	   |   CertifyInfo.strip()
2708	   |   /* Remove those values that are not needed */
2709	   | }

2711	                       Figure 7: Creating the pubkey

2713	D.2.4.  Measurement Log

2715	   Similarly to regular attestations, the Verifier needs a way to
2716	   reconstruct the PCRs' values in order to estimate the trustworthiness
2717	   of the device.  As such, a list of those elements that were extended
2718	   into the PCRs is reported.  Note though that for certain
2719	   environments, this step may be optional if a list of valid PCR
2720	   configurations exists and no measurement log is required.

2722	   TUDA-Measurement-Log = [*PCR-Event]
2723	   PCR-Event = [
2724	     type: PCR-Event-Type,
2725	     pcr: uint,
2726	     template-hash: PCR-Hash,
2727	     filedata-hash: tagged-hash,
2728	     pathname: text; called filename-hint in ima (non-ng)
2729	   ]

2731	   PCR-Event-Type = &(
2732	     bios: 0
2733	     ima: 1
2734	     ima-ng: 2
2735	   )

2737	   ; might want to make use of COSE registry here
2738	   ; however, that might never define a value for sha1
2739	   tagged-hash /= [sha1: 0, bytes .size 20]
2740	   tagged-hash /= [sha256: 1, bytes .size 32]

2742	D.2.5.  Implicit Attestation

2744	   The actual attestation is then based upon a TickStampBlob using the
2745	   restricted temporary key that was certified in the steps above.  The
2746	   TPM-Tickstamp is executed and thereby provides evidence that at this
2747	   point in time (with respect to the TPM internal tick-session) a
2748	   certain configuration existed (namely the PCR values associated with
2749	   the restricted key).  Together with the synchronization token this
2750	   tick-related timing can then be related to the real-time clock.

2752	   This element consists only of the TPM_TickStampBlock with no nonce.

2754	   TUDA-Verifytoken = TickStampBlob-Output

2756	                   Figure 8: TUDA-Verify element in CDDL

2758	   Required TPM functions:

2760	   | imp_att = TPM_TickStampBlob(
2761	   |     keyHandle = restrictedKey_Handle,     /*TPM_KEY_HANDLE*/
2762	   |     antiReplay = dummyNonce,              /*TPM_NONCE*/
2763	   |     digestToStamp = dummyDigest)          /*TPM_DIGEST*/
2764	   |
2765	   | VerifyToken = imp_att

2767	                    Figure 9: Creating the Verify Token

2769	D.2.6.  Attestation Verification Approach

2771	   The seven TUDA information elements transport the essential content
2772	   that is required to enable verification of the attestation statement
2773	   at the Verifier.  The following listings illustrate the verification
2774	   algorithm to be used at the Verifier in pseudocode.  The pseudocode
2775	   provided covers the entire verification task.  If only a subset of
2776	   TUDA elements changed (see Section 3.1), only the corresponding code
2777	   listings need to be re-executed.

2779	   | TSA_pub = verifyCert(TSA-CA, Cert.TSA-Cert)
2780	   | AIK_pub = verifyCert(AIK-CA, Cert.AIK-Cert)

2782	                  Figure 10: Verification of Certificates

2784	  | ts_left = Synctoken.left
2785	  | ts_right = Synctoken.right
2786	  |
2787	  | /* Reconstruct ts_right's omitted values; Alternatively assert == */
2788	  | ts_right.currentTicks.tickRate = ts_left.currentTicks.tickRate
2789	  | ts_right.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
2790	  |
2791	  | ticks_left = ts_left.currentTicks
2792	  | ticks_right = ts_right.currentTicks
2793	  |
2794	  | /* Verify Signatures */
2795	  | verifySig(AIK_pub, dummyNonce || dummyDigest || ticks_left)
2796	  | verifySig(TSA_pub, hash(ts_left) || timestamp.time)
2797	  | verifySig(AIK_pub, dummyNonce || hash(timestamp) || ticks_right)
2798	  |
2799	  | delta_left = timestamp.time -
2800	  |     ticks_left.currentTicks * ticks_left.tickRate / 1000
2801	  |
2802	  | delta_right = timestamp.time -
2803	  |     ticks_right.currentTicks * ticks_right.tickRate / 1000

2805	             Figure 11: Verification of Synchronization Token

2807	   | compositeHash = hash_init()
2808	   | for value in Composite.values:
2809	   |     hash_update(compositeHash, value)
2810	   | compositeHash = hash_finish(compositeHash)
2811	   |
2812	   | certInfo = reconstruct_static(TPM-CERTIFY-INFO)
2813	   |
2814	   | assert(Composite.bitmask == ExpectedPCRBitmask)
2815	   | assert(certInfo.pcrinfo.PCRSelection == Composite.bitmask)
2816	   | assert(certInfo.pcrinfo.digestAtRelease == compositeHash)
2817	   | assert(certInfo.pubkeyDigest == hash(restrictedKey_Pub))
2818	   |
2819	   | verifySig(AIK_pub, dummyNonce || certInfo)

2821	                Figure 12: Verification of Restriction Info

2823	   | for event in Measurement-Log:
2824	   |     if event.pcr not in ExpectedPCRBitmask:
2825	   |         continue
2826	   |     if event.type == BIOS:
2827	   |         assert_whitelist-bios(event.pcr, event.template-hash)
2828	   |     if event.type == ima:
2829	   |         assert(event.pcr == 10)
2830	   |         assert_whitelist(event.pathname, event.filedata-hash)
2831	   |         assert(event.template-hash ==
2832	   |                hash(event.pathname || event.filedata-hash))
2833	   |     if event.type == ima-ng:
2834	   |         assert(event.pcr == 10)
2835	   |         assert_whitelist-ng(event.pathname, event.filedata-hash)
2836	   |         assert(event.template-hash ==
2837	   |                hash(event.pathname || event.filedata-hash))
2838	   |
2839	   |     virtPCR[event.pcr] = hash_extend(virtPCR[event.pcr],
2840	   |                                      event.template-hash)
2841	   |
2842	   | for pcr in ExpectedPCRBitmask:
2843	   |     assert(virtPCR[pcr] == Composite.values[i++]

2845	                Figure 13: Verification of Measurement Log

2847	  | ts = Verifytoken
2848	  |
2849	  | /* Reconstruct ts's omitted values; Alternatively assert == */
2850	  | ts.currentTicks.tickRate = ts_left.currentTicks.tickRate
2851	  | ts.currentTicks.tickNonce = ts_left.currentTicks.tickNonce
2852	  |
2853	  | verifySig(restrictedKey_pub, dummyNonce || dummyDigest || ts)
2854	  |
2855	  | ticks = ts.currentTicks
2856	  |
2857	  | time_left = delta_right + ticks.currentTicks * ticks.tickRate / 1000
2858	  | time_right = delta_left + ticks.currentTicks * ticks.tickRate / 1000
2859	  |
2860	  | [time_left, time_right]

2862	               Figure 14: Verification of Attestation Token

2864	Acknowledgements

2866	Authors' Addresses

2868	   Andreas Fuchs
2869	   Fraunhofer Institute for Secure Information Technology
2870	   Rheinstrasse 75
2871	   Darmstadt  64295
2872	   Germany

2874	   Email: andreas.fuchs@sit.fraunhofer.de

2876	   Henk Birkholz
2877	   Fraunhofer Institute for Secure Information Technology
2878	   Rheinstrasse 75
2879	   Darmstadt  64295
2880	   Germany

2882	   Email: henk.birkholz@sit.fraunhofer.de

2884	   Ira E McDonald
2885	   High North Inc
2886	   PO Box 221
2887	   Grand Marais  49839
2888	   US

2890	   Email: blueroofmusic@gmail.com
2891	   Carsten Bormann
2892	   Universitaet Bremen TZI
2893	   Bibliothekstr. 1
2894	   Bremen  D-28359
2895	   Germany

2897	   Phone: +49-421-218-63921
2898	   Email: cabo@tzi.org